Security Baseline Policy

All user accounts must use a unique, strong password (minimum 12 characters, mix of upper/lower/numbers/symbols). Passwords must not be reused across systems.

All user passwords stored in Pythias systems are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored or logged.

Multi-factor authentication (MFA) is required for all administrator-level access to cloud infrastructure (MongoDB Atlas, hosting providers, domain registrars).

Default credentials on any system, device, or service must be changed immediately upon provisioning. No system may remain in production with vendor-default passwords.

Session tokens expire after inactivity. JWT tokens issued by Pythias services have defined expiry periods and are invalidated on sign-out.

All production servers must have only the services and ports required for their function enabled. All unused services must be disabled.

SSH root login is disabled on all servers. Administrative SSH access uses key-based authentication only from approved IP addresses.

Application processes run under non-root system users with the minimum permissions required.

Error messages returned to end users must not expose internal stack traces, file paths, database structure, or other system internals.

All web services enforce HTTPS. HTTP connections are redirected to HTTPS. HSTS headers are set on all production domains.

All secrets (API keys, database credentials, OAuth tokens, signing secrets) are stored in environment variables or a secure secrets manager. They are never hardcoded in source code.

Version control repositories (.git) must never contain secrets. .gitignore rules must exclude all .env and .env.local files before first commit.

Secrets are rotated at least annually and immediately upon any suspected or confirmed compromise.

Each service or integration uses its own credential set — shared credentials between unrelated services are not permitted.

Critical CVEs affecting production dependencies must be patched within 48 hours of a viable fix being available.

High-severity CVEs must be patched within 7 days. Medium and low severity within 30 days.

Dependency audits (npm audit or equivalent) are run on every deployment. CI/CD pipelines or manual audits must flag new high/critical vulnerabilities before code reaches production.

Operating systems and runtime environments (Node.js) on production servers must remain within their supported version ranges.

Production databases are backed up daily via MongoDB Atlas automated backups. Backups are retained for a minimum of 7 days.

Application code is version-controlled in a private Git repository. Deployment scripts are documented and reproducible.

Recovery procedures are tested at least annually by restoring from backup to a non-production environment.

All authentication events (successful and failed logins), administrative actions, and API calls involving Restricted or Confidential data must be logged.

Logs must not contain plaintext passwords, full API keys, full credit card numbers, or other Restricted data.

Log files are retained for at least 30 days on a rolling basis. Longer retention is required during active security investigations.

Logs are reviewed at least weekly for anomalies; alerts are configured for repeated authentication failures and unexpected access patterns.