Kronforce security controls, compliance readiness, and operational security guidance.

Set KRONFORCE_TLS_CERT and KRONFORCE_TLS_KEY to serve HTTPS on both controller and agent. Uses rustls (no OpenSSL dependency).

KRONFORCE_TLS_CERT=/path/to/cert.pem \
KRONFORCE_TLS_KEY=/path/to/key.pem \
cargo run --bin kronforce

For production, use a reverse proxy (Caddy, nginx) for TLS termination, or deploy with the HA Docker Compose which includes Caddy with auto-TLS via Let's Encrypt.

Set KRONFORCE_ENCRYPTION_KEY to encrypt sensitive fields (secret variable values) using AES-256-GCM before storing in SQLite.

# Generate a strong key
openssl rand -base64 32

# Set it
KRONFORCE_ENCRYPTION_KEY=your-random-key-here cargo run --bin kronforce

Encrypted values are prefixed with enc: in the database. If the key is not set, values are stored in plaintext. Changing the key requires re-encrypting existing values.

For full database encryption, use volume-level encryption (AWS EBS encryption, LUKS, DigitalOcean encrypted volumes).

• 4 roles: admin, operator, viewer, agent
• Keys stored as SHA-256 hashes (raw key never persisted)
• Bootstrap keys auto-generated on first startup
• Group scoping: restrict keys to specific job groups
• IP allowlisting: restrict keys to specific source IPs (per-key)

• OpenID Connect with any standard provider (Okta, Azure AD, Google, Keycloak)
• Server-side sessions in SQLite with configurable TTL (default 24h)
• Role mapping from IdP claims
• Session cookie: HttpOnly, SameSite=Lax, Secure (when HTTPS)

• Agent → controller authenticated with KRONFORCE_AGENT_KEY (a kf_… API key with the agent role)
• Controller → agent dispatch reuses the same key: the controller captures the agent's bearer at registration time into an in-memory map keyed by agent id and replays it on /execute, /cancel, and /shutdown. The map is process-local, never persisted, and cleared on agent deregistration. After a controller restart the map is empty until each agent re-registers on its next heartbeat.
• Multiple agents may use distinct keys; the controller does not need any matching env var for dispatch to work.
• Optional fallback: if a per-agent token has not been captured yet, the controller will fall back to KRONFORCE_DISPATCH_KEY, KRONFORCE_AGENT_KEY, or KRONFORCE_BOOTSTRAP_AGENT_KEY (in that order) if any are set in its environment.
• Constant-time key comparison to prevent timing attacks

API keys can be scoped to specific job groups (allowed_groups). Scoped keys can only see and manage jobs in their allowed groups. Admin keys bypass group scoping.

All state-changing operations are recorded in an append-only audit log:

• API key creation and revocation
• Job create, update, delete, trigger
• Script save and delete
• Settings changes
• Variable create, update, delete
• Agent deregistration
• Execution approval

Query via GET /api/audit-log (admin only). Separate retention from events (default 90 days).

Three-tier rate limiting protects against abuse:

Returns 429 Too Many Requests with Retry-After header.

• SSRF protection: HTTP tasks block private IPs, localhost, and cloud metadata endpoints
• Command injection: Kafka properties sanitized
• ReDoS protection: Regex patterns capped at 1024 characters
• Privilege escalation: run_as username validated
• Credential handling: FTP credentials via temp netrc file (not command-line args)
• XSS prevention: All user input escaped with esc() in frontend
• SQL injection: All queries use parameterized statements
• CSRF: Session cookies use SameSite=Lax
• Security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin

curl http://localhost:8080/api/data/export \
  -H "Authorization: Bearer kf_admin_key"

Returns full JSON export of all jobs, variables, templates, agents, and groups. Admin only.

curl -X DELETE http://localhost:8080/api/data/delete \
  -H "Authorization: Bearer kf_admin_key" \
  -H "X-Confirm-Delete: yes-delete-all-data"

Purges all jobs, executions, variables, templates, events, audit log, and sessions. Requires admin role and explicit confirmation header. Irreversible.

Automatic data purging configured via Settings:

• retention_days (default 7): executions, events, queue items
• audit_retention_days (default 90): audit log entries

RUST_LOG=kronforce=info cargo run --bin kronforce

KRONFORCE_LOG_FORMAT=json RUST_LOG=kronforce=info cargo run --bin kronforce

JSON logs are compatible with Datadog, Splunk, CloudWatch, ELK, and any log aggregation service that parses structured JSON.

• cargo audit runs in CI on every push and pull request
• Checks for known vulnerabilities (RustSec advisory database)
• Checks for yanked crates
• All dependencies pinned via Cargo.lock

If you suspect a security incident:

1. Rotate keys immediately: create new admin/agent keys, revoke compromised ones
2. Check audit log: GET /api/audit-log for unauthorized changes
3. Check events: GET /api/events for unusual activity
4. Review sessions: expired OIDC sessions are cleaned automatically; force-clear by restarting
5. Export data: GET /api/data/export for forensic backup
6. Change encryption key: if KRONFORCE_ENCRYPTION_KEY is compromised, rotate it and re-encrypt secrets
7. Review agent keys: check if any agent keys were used from unexpected IPs