fix(ory): harden Kratos and Hydra production security configuration

Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min password with HaveIBeenPwned + similarity check, recovery/verification switched to code (not link), anti-enumeration on unknown recipients, 15m privileged session, 24h session extend throttle, JSON structured logging, WebAuthn passwordless enabled, additionalProperties: false on all identity schemas, memory limits bumped to 256Mi. Hydra: expose_internal_errors disabled, PKCE enforced for public clients, janitor CronJob every 6h, cookie domain set explicitly, SSRF prevention via disallow_private_ip_ranges, JSON structured logging, Maester enabledNamespaces includes monitoring. Also: fixed selfservice URL patch divergence (settings path, missing allowed_return_urls), removed invalid responseTypes on Hive client.
2026-03-24 19:40:58 +00:00
parent 4c02fe18ed
commit 50a4abf94f
5 changed files with 56 additions and 56 deletions
--- a/base/ory/hydra-values.yaml
+++ b/base/ory/hydra-values.yaml
@@ -26,9 +26,23 @@ hydra:
      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
      refresh_token: 720h

+    oauth2:
+      expose_internal_errors: false
+      pkce:
+        enforced_for_public_clients: true
+
+    log:
+      format: json
+      leak_sensitive_values: false
+
+    clients:
+      http:
+        disallow_private_ip_ranges: true
+
    serve:
      cookies:
        same_site_mode: Lax
+        domain: DOMAIN_SUFFIX
      public:
        cors:
          enabled: true
@@ -46,11 +60,22 @@ hydra-maester:
  enabledNamespaces:
    - lasuite
    - matrix
+    - monitoring

 # ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
 # chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
 # kustomize helm template doesn't provide.

+janitor:
+  enabled: true
+  cleanupGrants: true
+  cleanupRequests: true
+  cleanupTokens: true
+
+cronjob:
+  janitor:
+    schedule: "0 */6 * * *"
+
 deployment:
  extraEnv:
    - name: DSN
@@ -60,7 +85,7 @@ deployment:
          key: dsn
  resources:
    limits:
-      memory: 64Mi
+      memory: 256Mi
    requests:
-      memory: 32Mi
+      memory: 64Mi
      cpu: 25m