Skip to content

Security: shortmesh/Interface-API

Security

docs/SECURITY.md

Security Configuration

Modes

  • development (default): HTTP allowed, no TLS required
  • production: HTTPS enforced for server and external services

Set via APP_MODE=development or APP_MODE=production

Database Encryption

Default: SQLCipher with AES-256 encryption at rest

Optional: Standard SQLite (unencrypted) - set DISABLE_DB_ENCRYPTION=true for development

Warning

Production deployments should use SQLCipher to protect sensitive data at rest

Disable Encryption (Development)

To use standard SQLite without encryption for easier development:

  1. Set DISABLE_DB_ENCRYPTION=true in your .env
  2. Run normally: make run, make migrate-up, or make build

The build system automatically detects the DISABLE_DB_ENCRYPTION setting and compiles with the appropriate SQLite driver (SQLCipher or standard SQLite).

Manual Build (Advanced)

go run cmd/api/main.go                  # Standard SQLite
go run -tags sqlcipher cmd/api/main.go  # SQLCipher

go build -o bin/api cmd/api/main.go                  # Standard SQLite
go build -tags sqlcipher -o bin/api cmd/api/main.go  # SQLCipher

Note

  • When DISABLE_DB_ENCRYPTION=false, a DB_ENCRYPTION_KEY must be set
  • When DISABLE_DB_ENCRYPTION=true, the DB_ENCRYPTION_KEY is ignored
  • Production mode logs a warning if encryption is disabled but doesn't enforce it

Production Requirements

Server TLS

Required in production unless behind a reverse proxy:

APP_MODE=production
TLS_CERT_FILE=/path/to/cert.crt
TLS_KEY_FILE=/path/to/key.key

Tip

If using reverse proxy for TLS termination (e.g., nginx, Caddy):

APP_MODE=production
ALLOW_INSECURE_SERVER=true

External Services

Production mode requires HTTPS/WSS/AMQPS for all external services:

APP_MODE=production
MAS_URL=https://mas.example.com
MAS_ADMIN_URL=https://mas-admin.example.com
MATRIX_CLIENT_URL=https://matrix.example.com
RABBITMQ_URL=amqps://user:pass@rabbitmq.example.com:5671/

Caution

To allow insecure protocols in production (not recommended):

ALLOW_INSECURE_EXTERNAL=true

Configuration Examples

Development

APP_MODE=development
HOST=127.0.0.1
PORT=8080
DISABLE_DB_ENCRYPTION=false
MAS_URL=http://localhost:8000
RABBITMQ_URL=amqp://guest:guest@localhost:5672/

Production with TLS

APP_MODE=production
HOST=0.0.0.0
PORT=8443
TLS_CERT_FILE=/etc/ssl/certs/api.crt
TLS_KEY_FILE=/etc/ssl/private/api.key
DISABLE_DB_ENCRYPTION=false
MAS_URL=https://mas.example.com
RABBITMQ_URL=amqps://user:pass@rabbitmq.example.com:5671/

Production Behind Reverse Proxy

APP_MODE=production
HOST=127.0.0.1
PORT=8080
ALLOW_INSECURE_SERVER=true
DISABLE_DB_ENCRYPTION=false
MAS_URL=https://mas.example.com
RABBITMQ_URL=amqps://user:pass@rabbitmq.example.com:5671/

Common Errors

"TLS_CERT_FILE and TLS_KEY_FILE must be set"

  • Set cert/key paths or use ALLOW_INSECURE_SERVER=true with reverse proxy

"production mode requires HTTPS/WSS/AMQPS for external service"

  • Update URLs to secure protocols or set ALLOW_INSECURE_EXTERNAL=true

There aren't any published security advisories