Deployment Security
This page describes the security measures implemented in ShipStream Data Border deployments.
Deployment Security
This page describes the security measures implemented in ShipStream Data Border deployments.
Security Architecture
Data Border implements defense-in-depth with multiple security layers:
- TLS 1.3: All connections encrypted with modern TLS
- Web Application Firewall: Protection against common attacks
- Rate Limiting: Per-endpoint and per-IP throttling
- Authentication: Multi-layer token validation
TLS Configuration
Data Border enforces strict TLS settings:
| Setting | Value | Purpose |
|---|---|---|
| Protocol | TLS 1.3 only | No legacy protocol support |
| HTTPS | Required | HTTP automatically redirected |
| Certificates | Valid CA-signed | No self-signed certificates |
Secrets Management
Data Border requires several secrets for operation. All secrets are:
- Stored in platform-managed secret stores (never in code)
- Encrypted at rest
- Rotated according to security policy
Required Secrets
| Secret | Purpose | Generation |
|---|---|---|
| JWT_SECRET | Token signing | openssl rand -base64 32 |
| COOKIE_ENCRYPTION_KEY | Session encryption | openssl rand -hex 32 |
| Amazon SP-API credentials | API access | From Amazon Developer Console |
| Storage credentials | Object storage access | From storage provider |
Client-Provided Secrets
The amazonTokenSecret is provided by WMS clients and:
- Never stored in Data Border infrastructure
- Used only for encrypting Amazon tokens
- Must be securely managed by the WMS
Container Security
Data Border containers are built with security best practices:
- Multi-stage builds: Development dependencies excluded
- Minimal base image: Reduced attack surface
- No source code: Only compiled application in production
- Deterministic builds: Package lock ensures reproducibility
Data Protection
Encryption at Rest
All stored data is encrypted:
- Database: Platform-provided encryption
- Object storage: Server-side encryption (SSE)
- Secrets: Platform-managed encryption
Encryption in Transit
All data in transit is encrypted:
- External: TLS 1.3 for all API calls
- Internal: Encrypted connections to storage and external services
Web Application Firewall
Data Border uses Arcjet Shield for WAF protection:
- SQL injection detection
- Cross-site scripting (XSS) prevention
- Bot detection and blocking
- Suspicious activity monitoring
Security Headers
Data Border sets security headers on all responses:
Content-Security-Policy: default-src 'none'
This strict CSP is appropriate for API-only services.
Health Monitoring
Health check endpoints are available for monitoring without exposing sensitive information:
/health-check- Basic system health- Components verified: Database, Storage
See Health Check API for details.
Compliance
Data Border is designed to support compliance with:
- Amazon Data Protection Policy (DPP)
- SOC 2 requirements (via cloud provider certifications)
- Data encryption requirements
Related Documentation
- Encryption - Token encryption details
- WAF & Rate Limiting - Detailed WAF configuration
- Tokens - Token types and lifecycle