Security Hardening

This section outlines practical steps to keep your SmallBlock CMS deployment secure in production.

The goal is not theoretical completeness, but actionable guidance you can verify and maintain over time.

—

Server Environment

System Updates

Keep your OS and dependencies current:

# RHEL / CentOS / Fedora
sudo dnf update -y

# Debian / Ubuntu
sudo apt update && sudo apt upgrade -y

Reboot after kernel updates or when systemctl list-jobs shows pending restarts.

Dedicated Service Account

Run SmallBlock under a dedicated non-login user:

sudo useradd --system --home /srv/smallblock --shell /sbin/nologin smallblock
sudo chown -R smallblock:smallblock /srv/smallblock

This isolates the app from other services on the host.

Firewall

Allow only essential ports:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

If SSH access is required, restrict by IP and key authentication.

—

Application Configuration

Environment Variables

Never hard-code credentials in settings files. Store secrets in an environment file readable only by the service user:

chmod 600 /srv/smallblock/app/.env
chown smallblock:smallblock /srv/smallblock/app/.env

Typical values:

DEBUG=false
SECRET_KEY='change_this_value'
DATABASE_URL=postgresql://sb_user:password@localhost/smallblock
ALLOWED_HOSTS=smallblockcms.com,www.smallblockcms.com

Secret Management

For larger installations, consider: - systemd EnvironmentFile for controlled injection - HashiCorp Vault or AWS Secrets Manager for distributed environments

—

File Permissions

Restrict ownership and access:

sudo chown -R smallblock:smallblock /srv/smallblock
sudo chmod -R o-rwx /srv/smallblock

Within Nginx, serve only static and media files:

location /static/ {
    alias /srv/smallblock/static/;
    autoindex off;
}

location /media/ {
    alias /srv/smallblock/media/;
    autoindex off;
}

Disable directory listings and ensure .env, .py, and other sensitive files are never served.

—

SELinux Configuration

Keep SELinux enforcing. Label key paths properly:

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/srv/smallblock/(static|media)(/.*)?"
sudo semanage fcontext -a -t httpd_var_run_t "/srv/smallblock/run(/.*)?"
sudo restorecon -Rv /srv/smallblock/

For socket-based setups, ensure /srv/smallblock/run/smallblock.sock has httpd_var_run_t.

—

Network & TLS

HTTPS

All public access should go through HTTPS. Let’s Encrypt is sufficient for most use cases:

sudo certbot --nginx -d smallblockcms.com -d www.smallblockcms.com

Test renewal:

sudo certbot renew --dry-run

Headers

Add these to your Nginx configuration:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=()" always;

—

Database Hardening

• Grant only necessary privileges to your application user.

• Disable remote access to the database unless required.

• Require password authentication for all users.

• Keep backups encrypted and access-controlled.

PostgreSQL example (pg_hba.conf):

local   all             all                                     peer
host    smallblock      sb_user         127.0.0.1/32            md5

—

Monitoring and Auditing

• Forward system logs to a central collector (e.g., rsyslog → Graylog, ELK, or journald aggregation).

• Enable Nginx and SmallBlock access/error logs.

• Rotate logs regularly (/etc/logrotate.d/smallblock).

• Review logs weekly for anomalies.

• Test your /health endpoint and alerts.

Example log rotation config:

/srv/smallblock/logs/*.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
    create 0640 smallblock smallblock
}

—

Backup & Recovery Verification

Security includes the ability to recover data safely.

• Automate encrypted backups of both database and media.

• Store offsite copies (S3 or remote filesystem).

• Perform a restore test monthly.

—

Operational Discipline

• Enforce strong passwords and two-factor authentication for administrators.

• Review users and roles quarterly.

• Revoke unused credentials.

• Document your incident response procedures.

—

Checklist

• [x] OS and packages fully updated

• [x] HTTPS enforced with valid certificate

• [x] SELinux enforcing and contexts correct

• [x] Firewall restricts access to 22, 80, 443

• [x] Secrets stored securely

• [x] Backups tested and encrypted

• [x] Logs monitored and rotated

—

Next Steps

• Backups — configure scheduled encrypted backups

• Monitoring — set up metrics and health checks

• Scaling and Caching — performance and load tuning