Security Best Practices Implementation

• HTTPS everywhere via Traefik; HSTS enabled (secure-headers middleware).
• OAuth2 Authorization Code with PKCE for public clients.
• Access Tokens short-lived (15m); Refresh Tokens long-lived (30d, rotation + reuse detection).
• 2FA enabled: TOTP and WebAuthn platform authenticators.
• Password policies in Keycloak: length ≥ 12, uppercase/lowercase/digits/specials, history=5, not contains username/email.
• Rate limiting on /auth/* endpoints and login attempts; IP-based + user-based.
• Brute-force protection in Keycloak enabled.
• JWT validation with JWKS caching in Redis; enforce iss, aud, exp, azp.
• RBAC enforced both in gateway (coarse) and services (fine); ABAC via tenant_id claims.
• Sensitive cookies set as HttpOnly, Secure, SameSite=None, scoped to .portugalodyssey.pt.
• Key rotation: configure Keycloak to rotate signing keys periodically; services tolerate kid changes.
• Secret management: Do not commit secrets; use .env per environment and consider Sealed Secrets / Vault in future.
• Logging: Never log tokens or PII; add request IDs; integrate with centralized logging.
• CSP headers and security headers via Traefik dynamic config.
• Database: least privilege users per DB (init-multiple-databases.sh creates service-specific users); schema iam with strict FK.
• Backups: Postgres dumps and Keycloak realm export scheduled; secure S3 / MinIO bucket.