# Security Checklist

The following provides some general guidelines with respect to securing your ESS deployment. The checklist is not meant to be an exhaustive list.

### Limit Network Exposure

| Limit external access to specific networks/ports.                                                                                                                               |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Separate internal and external traffic. For example, by running inside a VPC, you can ensure that all communication within the VPC is securely separated from external traffic. |
| <p>If setting up a VPN endpoint, avoid manually adding public<br>Internet routes/authorizations to the VPN endpoint .</p>                                                       |

### Use Encryption

| <p>Use TLS for network encryption.</p><ul><li>Encrypt in-transit inbound traffic to ESS.</li><li>For external facing services, use TLS certificates from an official Certificate Authority (CA). Do not use self-signed certificates.</li></ul> |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Encrypt data at rest, including audit logs.                                                                                                                                                                                                     |

See [Encryption](/security/encryption.md)

### Manage and Safeguard Sensitive Data/Credentials

| Many strategies for safeguarding sensitive data/credentials exist for Kubernetes. Investigate the best available options for your environment.                                       |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Secure highly-sensitive (i.e., passwords, tokens, etc.) environment variables. Do not set these environment variables on the containers as they are stored and passed in plain text. |
| Take care about what and to whom you grant access.                                                                                                                                   |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/security/security-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.