Security Considerations

Security guidelines for WAVIC platform deployment

Infrastructure Security

Azure Container Apps

bash

# Use managed identity instead of connection strings
az containerapp identity assign \
  --name ctrl-audio-backend \
  --resource-group Sonnance-WebApp \
  --system-assigned

Key Vault Integration

Store sensitive secrets in Azure Key Vault:

Secret	Location	Purpose
`JWT_SECRET`	Key Vault	Token signing
`MONGODB_URI`	Key Vault	Database connection
`STRIPE_API_KEY`	Key Vault	Payment processing
`AZURE_STORAGE_KEY`	Managed Identity	Blob storage

GitHub Actions Security

Secrets Management

Never commit secrets to the repository. Use GitHub Secrets:

yaml

# .github/workflows/deploy.yml
env:
  MONGODB_URI: ${{ secrets.MONGODB_URI }}
  JWT_SECRET: ${{ secrets.JWT_SECRET }}

Best Practices

✅ Use short-lived AZURE_CREDENTIALS (rotate annually)
✅ Separate secrets for dev/prod environments
✅ Use environment protection rules for production
✅ Enable require approval for production deployments

Container Security

Dockerfile Best Practices

dockerfile

# Use specific version, not 'latest'
FROM node:20-alpine

# Run as non-root user
USER node

# Don't expose unnecessary ports
EXPOSE 8080

Security Scanning

bash

# Scan images for vulnerabilities
docker scout cves ctrl-audio-backend:latest

API Security Headers

Add security headers via NestJS middleware:

typescript

import helmet from 'helmet';

app.use(helmet());
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    imgSrc: ["'self'", "https://*.blob.core.windows.net", "https://*.azureedge.net"],
  },
}));

SSL/TLS Configuration

Azure Container Apps

✅ HTTPS automatically enforced
✅ TLS 1.2+ only
✅ Managed certificates available

Custom Domain SSL

bash

az containerapp hostname add \
  --name ctrl-audio-backend \
  --resource-group Sonnance-WebApp \
  --hostname api.wavic.io

az containerapp ssl upload \
  --name ctrl-audio-backend \
  --resource-group Sonnance-WebApp \
  --hostname api.wavic.io \
  --certificate-file cert.pfx

Network Security

Private Networking

For production:

bash

# Create virtual network
az network vnet create \
  --name wavic-vnet \
  --resource-group Sonnance-WebApp

# Add private endpoint for MongoDB
az network private-endpoint create \
  --name mongodb-pe \
  --vnet-name wavic-vnet \
  --subnet default

IP Restrictions

bash

# Restrict backend access to frontend only
az containerapp ingress access-restriction set \
  --name ctrl-audio-backend \
  --resource-group Sonnance-WebApp \
  --rule-name allow-frontend \
  --ip-address <frontend-ip>

Security Checklist

Pre-Deployment

[ ] All secrets stored in GitHub Secrets / Key Vault
[ ] .env files not committed
[ ] Dependencies audited (npm audit)
[ ] Docker images scanned

Production

[ ] HTTPS enforced
[ ] Security headers configured
[ ] Rate limiting enabled
[ ] Logging configured
[ ] Monitoring alerts set up

Compliance

[ ] GDPR privacy policy
[ ] Data retention policy
[ ] User data export endpoint
[ ] Account deletion endpoint

Last Updated: February 2026

Security Considerations ​

Infrastructure Security ​

Azure Container Apps ​

Key Vault Integration ​

GitHub Actions Security ​

Secrets Management ​

Best Practices ​

Container Security ​

Dockerfile Best Practices ​

Security Scanning ​

API Security Headers ​

SSL/TLS Configuration ​

Azure Container Apps ​

Custom Domain SSL ​

Network Security ​

Private Networking ​

IP Restrictions ​

Security Checklist ​

Pre-Deployment ​

Production ​

Compliance ​

Security Considerations

Infrastructure Security

Azure Container Apps

Key Vault Integration

GitHub Actions Security

Secrets Management

Best Practices

Container Security

Dockerfile Best Practices

Security Scanning

API Security Headers

SSL/TLS Configuration

Azure Container Apps

Custom Domain SSL

Network Security

Private Networking

IP Restrictions

Security Checklist

Pre-Deployment

Production

Compliance