SteerDock implements enterprise-grade security features including Role-Based Access Control (RBAC), JWT authentication, password encryption, audit logging, and comprehensive security headers to protect your Docker infrastructure.
Token Lifecycle:
- Access Token: 24-hour expiration
- Refresh Token: 7-day expiration
- Automatic Refresh: Seamless token renewal
- Secure Storage: HttpOnly cookies + localStorage fallback
Token Structure:
{
"user_id": "admin",
"username": "admin",
"role": "admin",
"permissions": ["container.read", "container.write"],
"exp": 1704711600,
"iat": 1704625200
}Supported Providers:
- Google OAuth: Full profile and email access
- GitHub OAuth: Repository and organization integration
- Custom OIDC: Enterprise identity provider support
Configuration:
{
"oauth": {
"google": {
"enabled": true,
"client_id": "your-google-client-id",
"client_secret": "your-google-client-secret"
},
"github": {
"enabled": true,
"client_id": "your-github-client-id",
"client_secret": "your-github-client-secret"
}
}
}- Full system control
- User management
- System configuration
- All Docker operations across all hosts
- Audit log access
- Plugin management
- Organization management
- User creation within organization
- All Docker operations within organization
- Monitoring and alerts
- Registry management
- Team leadership
- Container lifecycle management
- Image and network operations
- Limited user management (within team)
- Read-only system information
- Standard operations
- Container start/stop/restart
- View containers, images, networks
- Basic monitoring access
- Execute terminal commands
- View-only access
- List containers, images, networks, volumes
- View system information
- Read monitoring data
- No modification permissions
Permissions System:
container:
- read: View container information
- write: Create, modify containers
- delete: Remove containers
- exec: Execute commands in containers
- logs: Access container logs
image:
- read: List and inspect images
- pull: Pull images from registries
- push: Push images to registries
- build: Build custom images
- delete: Remove images
network:
- read: View network configurations
- write: Create, modify networks
- delete: Remove networks
volume:
- read: List and inspect volumes
- write: Create, modify volumes
- delete: Remove volumes
host:
- read: View host information
- write: Add, modify hosts
- delete: Remove hosts
system:
- read: View system information
- admin: System administration
- logs: Access audit logs
user:
- read: View user information
- write: Create, modify users
- delete: Remove users
- admin: User administrationOrganization Isolation:
- Data Segregation: Complete isolation between organizations
- Resource Quotas: CPU, memory, storage limits per organization
- Network Isolation: Separate Docker networks per tenant
- Audit Trails: Per-organization audit logging
Tenant Configuration:
{
"organization": {
"id": "acme-corp",
"name": "ACME Corporation",
"quotas": {
"containers": 100,
"cpu_cores": 50,
"memory_gb": 200,
"storage_gb": 1000
},
"networks": ["acme-prod", "acme-dev"],
"isolated": true
}
}Requirements:
- Minimum 8 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse last 5 passwords
- Password expiration: 90 days (configurable)
Encryption:
- Algorithm: AES-GCM 256-bit
- Key Derivation: PBKDF2 with 100,000 iterations
- Salt: Unique random salt per password
- Pepper: Global application secret
SSH Keys & Passwords:
// Encrypted storage of sensitive host data
type EncryptedHost struct {
ID string
Name string
Host string
Port int
Username string
Password string `encrypt:"aes-gcm"` // Encrypted in database
SSHKey string `encrypt:"aes-gcm"` // Encrypted in database
TLSCert string `encrypt:"aes-gcm"` // Encrypted in database
}Key Management:
- Master Key: Derived from configuration secret
- Key Rotation: Annual rotation schedule
- Backup Encryption: All backups encrypted at rest
Production Setup:
server {
listen 443 ssl http2;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://steerdock:8383;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Configuration:
{
"security": {
"allowed_origins": [
"https://steerdock.company.com",
"https://app.steerdock.company.com"
],
"allowed_methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
"allowed_headers": ["Content-Type", "Authorization"],
"credentials": true,
"max_age": 3600
}
}API Protection:
- Global: 1000 requests/minute per IP
- Authenticated: 5000 requests/minute per user
- Login Attempts: 5 attempts per 15 minutes
- WebSocket: 10 concurrent connections per user
- File Upload: 100MB per request
Configuration:
{
"rate_limit": {
"global": "1000r/m",
"authenticated": "5000r/m",
"login": "5r/15m",
"websocket": 10,
"upload_size": "100MB"
}
}Implemented Headers:
# Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
# XSS Protection
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
# HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains
# Referrer Policy
Referrer-Policy: strict-origin-when-cross-origin
# Permissions Policy
Permissions-Policy: geolocation=(), microphone=(), camera=()Container Operations:
{
"timestamp": "2026-01-07T12:30:00Z",
"user_id": "admin",
"username": "admin",
"action": "container.start",
"resource": "nginx-web",
"host_id": "prod-server-1",
"ip_address": "192.168.1.100",
"user_agent": "SteerDock/1.0 (Web)",
"success": true,
"details": {
"container_id": "abc123",
"image": "nginx:latest"
}
}Authentication Events:
{
"timestamp": "2026-01-07T12:30:00Z",
"event": "login.success",
"user_id": "admin",
"username": "admin",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"method": "jwt",
"provider": "local"
}Real-time Alerts:
- Failed authentication attempts
- Privilege escalation attempts
- Unusual API usage patterns
- Container escape attempts
- Unauthorized file access
Webhook Integration:
{
"webhook": {
"url": "https://security-siem.company.com/webhook",
"events": [
"auth.failed_login",
"auth.privilege_escalation",
"container.escape_attempt",
"file.unauthorized_access"
],
"headers": {
"Authorization": "Bearer security-webhook-token"
}
}
}Image Vulnerability Assessment:
# Scan Docker images for vulnerabilities
POST /api/v1/images/{id}/scan
{
"scanner": "trivy",
"severity": ["HIGH", "CRITICAL"],
"ignore_unfixed": false
}Security Policies:
security_policies:
image_scanning:
required: true
block_high_severity: true
max_vulnerabilities: 10
runtime_security:
readonly_filesystem: recommended
non_root_user: required
drop_capabilities: ["ALL"]
add_capabilities: []Backend Dependencies:
- Go modules vulnerability scanning
- Automated security updates
- License compliance checking
Frontend Dependencies:
- npm audit integration
- Snyk vulnerability monitoring
- Regular dependency updates
Security Configuration:
container_security:
user: "1001:1001" # Non-root user
read_only: true # Read-only filesystem
no_new_privileges: true
security_opt:
- "no-new-privileges:true"
- "apparmor:docker-default"
cap_drop:
- "ALL"
cap_add:
- "NET_BIND_SERVICE" # Only required capabilitiesDocker Network Isolation:
networks:
frontend:
driver: bridge
internal: false
backend:
driver: bridge
internal: true # No external access
database:
driver: bridge
internal: true
encrypted: trueDocker Secrets Integration:
secrets:
database_password:
external: true
name: db_password_v1
api_key:
file: ./secrets/api_key.txt
services:
app:
image: myapp:latest
secrets:
- database_password
- api_key- HTTPS/TLS: SSL certificates installed and configured
- Authentication: JWT secrets rotated and secure
- Database: Encrypted connections and credentials
- Secrets: All sensitive data encrypted at rest
- Network: Firewalls configured, unnecessary ports closed
- Updates: Regular security updates applied
- Monitoring: Security events monitored and alerted
- Backup: Encrypted backups with tested restore procedures
- Access: Principle of least privilege implemented
- Audit: Comprehensive audit logging enabled
Development:
{
"security": {
"jwt_expiration": "24h",
"password_policy": "relaxed",
"https_required": false,
"debug_logging": true
}
}Staging:
{
"security": {
"jwt_expiration": "8h",
"password_policy": "standard",
"https_required": true,
"debug_logging": false
}
}Production:
{
"security": {
"jwt_expiration": "1h",
"password_policy": "strict",
"https_required": true,
"debug_logging": false,
"rate_limiting": "strict",
"session_security": "maximum"
}
}1. Detection & Assessment
- Monitor security alerts and logs
- Assess severity and impact scope
- Determine if containment is needed
2. Containment
- Isolate affected systems
- Preserve evidence for analysis
- Implement temporary security measures
3. Eradication & Recovery
- Remove threat vectors
- Apply security patches
- Restore from clean backups
4. Post-Incident
- Conduct security review
- Update security policies
- Improve monitoring and detection
security_contacts:
security_team: security@company.com
incident_response: incident@company.com
infrastructure: infra@company.com
legal_compliance: legal@company.com- SOC 2 Type II: Security, availability, and confidentiality
- ISO 27001: Information security management
- PCI DSS: Payment card industry security
- HIPAA: Healthcare information protection
- GDPR: European data protection regulation
Data Protection:
- Data encryption at rest and in transit
- Right to erasure (data deletion)
- Data portability (export capabilities)
- Consent management
- Data breach notification
Access Controls:
- Multi-factor authentication
- Role-based access control
- Privileged access management
- Regular access reviews
- Segregation of duties
For security questions or to report vulnerabilities, please contact: security@steerdock.com