studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ory): harden Kratos and Hydra production security configuration

Browse Source 
Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min
password with HaveIBeenPwned + similarity check, recovery/verification
switched to code (not link), anti-enumeration on unknown recipients,
15m privileged session, 24h session extend throttle, JSON structured
logging, WebAuthn passwordless enabled, additionalProperties: false on
all identity schemas, memory limits bumped to 256Mi.

Hydra: expose_internal_errors disabled, PKCE enforced for public
clients, janitor CronJob every 6h, cookie domain set explicitly,
SSRF prevention via disallow_private_ip_ranges, JSON structured
logging, Maester enabledNamespaces includes monitoring.

Also: fixed selfservice URL patch divergence (settings path, missing
allowed_return_urls), removed invalid responseTypes on Hive client.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-24 19:40:58 +00:00
parent 4c02fe18ed
commit 50a4abf94f
5 changed files with 56 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
base/ory/vault-secrets.yaml
View File

@@ -70,6 +70,8 @@ spec:
text: "{{ index .Secrets \"secrets-cookie\" }}"
smtpConnectionURI:
text: "{{ index .Secrets \"smtp-connection-uri\" }}"
secretsCipher:
text: "{{ index .Secrets \"secrets-cipher\" }}"
---
# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1