#Security Hardening Guide

Version: 0.33.0 Updated: 2026-03-15 Applies to: ranvier-core, ranvier-http, ranvier-compliance, ranvier-inspector Category: Guides

#1. Overview

This guide covers security hardening for production Ranvier deployments, organized around the OWASP Top 10 (2021) and Ranvier-specific security patterns.

#2. OWASP Top 10 Compliance

#A01: Broken Access Control

Ranvier pattern: Bus Capability enforcement prevents unauthorized resource access.

use ranvier_core::prelude::*;

// Bus capabilities restrict which resources a Transition can access.
// Only explicitly declared capabilities are available at runtime.
fn configure_bus(bus: &mut Bus) {
    bus.with_capability::<DatabasePool>();
    // UserSecrets is NOT added — Transitions cannot access it
}

Checklist:

✅ Use Bus Capabilities to restrict resource access per circuit
✅ Use ranvier-auth JWT validation for authenticated endpoints
✅ Use ranvier-guard CORS to restrict cross-origin access
✅ Apply route-level authorization via middleware layers

#A02: Cryptographic Failures

Checklist:

✅ Enforce TLS 1.3+ in production (configure via reverse proxy or rustls)
✅ Never log sensitive data — use ranvier-observe redaction policies
✅ Store secrets in environment variables, not in code
✅ Use strong JWT signing algorithms (RS256 or ES256, avoid HS256 in shared environments)

#A03: Injection

Checklist:

✅ Use parameterized queries with ranvier-db (prepared statements by default)
✅ Never construct SQL from user input
✅ Validate and sanitize file paths to prevent directory traversal
✅ Use typed extractors (Json<T>, Query<T>) — they reject malformed input

#A04: Insecure Design

Ranvier advantage: The Schematic + Transition pattern enforces explicit decision flows, making it harder to introduce insecure-by-design patterns.

Checklist:

✅ Use Schematic validation to verify business logic integrity
✅ Document threat model for each Axon circuit
✅ Review Transition Outcomes for unhandled error paths

#A05: Security Misconfiguration

Apply SecurityHeadersPolicy::strict() for maximum security headers:

use ranvier_guard::prelude::*;

let security = SecurityHeadersLayer::new(SecurityHeadersPolicy::strict());
// Includes: HSTS, CSP default-src 'self', COEP, COOP, CORP,
// Permissions-Policy, X-XSS-Protection, Referrer-Policy

Custom CSP:

use ranvier_guard::{CspBuilder, SecurityHeadersPolicy, SecurityHeadersLayer};

let csp = CspBuilder::new()
    .default_src(&["'self'"])
    .script_src(&["'self'", "https://cdn.example.com"])
    .style_src(&["'self'", "'unsafe-inline'"])
    .img_src(&["'self'", "data:", "https:"])
    .connect_src(&["'self'", "https://api.example.com"])
    .frame_ancestors(&["'none'"]);

let policy = SecurityHeadersPolicy::default().csp(csp);
let layer = SecurityHeadersLayer::new(policy);

Checklist:

✅ Use SecurityHeadersPolicy::strict() as baseline
✅ Remove verbose error messages in production
✅ Disable debug endpoints in production builds
✅ Review default configurations before deployment

#A06: Vulnerable and Outdated Components

# Run regularly:
cargo audit          # Check for known vulnerabilities
cargo update         # Update dependencies
cargo outdated       # Find outdated dependencies

Checklist:

✅ Run cargo audit in CI pipeline
✅ Enable Dependabot or Renovate for automated dependency updates
✅ Pin dependency versions in Cargo.lock

#A07: Identification and Authentication Failures

Checklist:

✅ Use ranvier-auth for JWT-based authentication
✅ Apply RateLimitLayer to login endpoints to prevent brute-force
✅ Implement account lockout after repeated failures (application-level)
✅ Use secure session storage (not in-memory for production clusters)

#A08: Software and Data Integrity Failures

Checklist:

✅ Verify crate checksums via Cargo.lock
✅ Use cargo vet for supply chain security
✅ Sign releases (GPG or Sigstore)
✅ Validate CI/CD pipeline integrity

#A09: Security Logging and Monitoring Failures

Ranvier pattern: Use ranvier-observe for structured, OTel-compatible logging.

Checklist:

✅ Log authentication failures with source IP
✅ Log authorization denials with attempted resource
✅ Use OTel exporter to send security events to SIEM
✅ Enable RateLimitLayer — logs are emitted on limit breach

#A10: Server-Side Request Forgery (SSRF)

Checklist:

✅ Validate all URLs before making outbound requests
✅ Use allowlists for permitted external domains
✅ Block requests to internal network ranges (10.x, 172.16.x, 192.168.x, 169.254.x)
✅ Never pass user-controlled URLs directly to HTTP clients

#3. DDoS Protection Configuration

use ranvier_guard::prelude::*;

// Rate limiting: 100 requests per minute per client IP
let rate_limit = RateLimitLayer::new(
    RateLimitPolicy::per_minute(100)
);

// Connection limiting: max 50 concurrent requests per IP
let conn_limit = ConnectionLimitLayer::new(50);

// Request size limiting: 8KB headers, 2KB URLs
let size_limit = RequestSizeLimitLayer::new()
    .max_header_bytes(8 * 1024)
    .max_url_bytes(2 * 1024);

#4. Production Deployment Checklist

#Required

TLS 1.3 enabled (via reverse proxy or rustls)
SecurityHeadersPolicy::strict() applied
RateLimitLayer configured on all public endpoints
ConnectionLimitLayer configured
RequestSizeLimitLayer configured
CorsGuardLayer configured (not permissive() in production)
cargo audit passes with no vulnerabilities
Environment variables used for secrets (no hardcoded credentials)
Debug/inspector endpoints disabled or protected

#Recommended

Custom CspBuilder configured for your frontend
OTel logging enabled with security event alerts
Dependency updates automated (Dependabot/Renovate)
Load balancer health checks configured
Backup and disaster recovery plan documented

#5. References

OWASP Top 10 (2021)
Ranvier Security Policy
Production Readiness Checklist
Deployment Guide
OTel Ops Playbook