Amy-Term
← Back to documentation

Security baseline

Practical security controls for Amy-Term deployments: transport security, secrets, authentication, auditability, and hardening.

Scope TLS Secrets Auth & RBAC Audit logging Backups Operational hardening

Scope

Goal: protect integrity and availability of terminology artefacts, enforce access control, and support auditability. This page is implementation-focused (runbook style), not a full ISMS.

Recommended deployment assumptions

  • Reverse proxy in front of the app (Nginx/Traefik) terminating TLS.
  • PostgreSQL not publicly exposed (private network only).
  • Admin endpoints restricted (RBAC + network controls).
  • Regular tested backups with retention policy.

TLS (Transport security)

Run all browser and API access over HTTPS in production. If you are federating, always require TLS between nodes.

Quick verification

Verify HTTPS endpoints 
$ curl -Ik https://your-domain.example/health/live
$ curl -Ik https://your-domain.example/docs

Secrets management

Do not commit secrets into Git. Use environment variables or a secrets manager.

Minimum secrets to protect

  • Database credentials
  • JWT/session signing keys (if applicable)
  • Federation signing keys (private keys)
  • SMTP credentials (if used)

Operational rules

  • Rotate secrets on staff changes, incidents, and on a fixed schedule (quarterly is common).
  • Store secrets outside application containers (Docker secrets, K8s secrets, Vault, etc.).
  • Do not log secrets. Redact values in error messages.

Authentication & RBAC

Production deployments should enable authentication and restrict sensitive routes (imports, federation, user management, metrics).

Role guidance

  • Viewer: read-only browsing and read-only FHIR operations
  • Admin: authoring, imports, federation operations
  • User Admin: user provisioning and role assignment

Recommended policy

  • Least privilege by default
  • Separate admin accounts from personal accounts
  • Use strong passwords + rotation where required

Audit logging

Ensure logs capture who changed what and when (imports, authoring, ConceptMap edits, federation captures).

Minimum events

  • Login and logout events (success + failure)
  • Admin actions (user/role changes)
  • Terminology content changes (create/update/delete)
  • Federation artefact creation and ingestion

Backups

Backups are part of security (availability). Maintain at least one offline copy and test restores regularly.

See: Postgres backup / restore.

Operational hardening

Network

  • Restrict admin UI to VPN or allow-listed IP ranges where possible.
  • Do not expose Postgres directly to the internet.

Rate limiting / abuse controls

  • Rate-limit public endpoints at the reverse proxy (especially expand/search).
  • Set request body size limits for imports.

Monitoring

  • Use /health/live and /health/ready in your monitoring.
  • Monitor error rates and latency on terminology search/expand routes.