This repository hosts the Rust backend (portfolio-backend) for API, auth, gate logic,
and observability endpoints.
- Do not open public issues for security vulnerabilities.
- Email: security@dimasptra.my.id
- Include: impact, reproduction steps, affected files, and mitigation ideas.
- Auth: JWT access tokens + rotating refresh tokens in HttpOnly cookies.
- Gate: puzzle UX for terminal access (
/gate/*), not a perimeter for all API routes. - CORS: enforced by backend (
ALLOWED_ORIGINS/FRONTEND_ORIGIN). - Secrets: loaded from env/Secret Manager, never committed.
ENVIRONMENT=productionJWT_SECRETandREFRESH_TOKEN_SECRETset (>=32 chars)ADMIN_EMAIL+ admin password hash configuredGATE_TOKEN_SECRET+GATE_L2_ANSWERconfiguredENABLE_SWAGGER_UI=falseMETRICS_BEARER_TOKENset when exposing/metrics
See terraform/docs/deploy-runbook.md for deployment hardening steps.