Production Checklist

Databases are critical infrastructure. Verify every item on this list before going live. The deploy.sh script configures most of these automatically, but you should verify them yourself.

The "Zero Breach" Rules

Mandatory. Non-negotiable.

Database ports are CLOSED to the internet.

Run sudo ufw status and ensure ports 5432 (PostgreSQL) and 3306 (MySQL) are NOT listed. Use SSH tunnels for remote database access instead.

SESSION_SECRET is unique and random.

Never use the example string. The deploy script generates this automatically. Verify with grep SESSION_SECRET .env — should be 64 hex characters.

HTTPS is enforced.

Never send database credentials over plain HTTP. Verify HTTP redirects to HTTPS.

Port 3000 is NOT accessible from outside.

From another machine, run curl http://your-server-ip:3000 — should return "Connection refused".

Access Control

Basic Auth is Active

Without credentials, requests should return 401. Test: curl https://your-domain.com should return "401 Unauthorized".

CSRF Protection is Active

Cross-origin POST requests should be blocked. Test with:

curl -X POST https://your-domain.com/api/connections -H "Origin: https://malicious-site.com" -u admin:password

Should return "403 CSRF validation failed"

Network Isolation

QueryGlow binds to 127.0.0.1 only (via network_mode: host in production). Only Nginx can reach it.

Least Privilege Database Users

Use dedicated database users with limited permissions when possible, not the postgres superuser.

Safe Mode

Safe Mode is Enabled (Default)

By default, Safe Mode blocks dangerous queries in the Query Editor:

• DROP TABLE, DROP DATABASE
• TRUNCATE
• DELETE / UPDATE without WHERE clause

Verify: grep QUERYGLOW_ALLOW_DESTRUCTIVE .env — should be false or not set.

Data Browser Buttons Still Work

Safe Mode only affects the Query Editor (raw SQL). The Data Browser's edit/delete row buttons work normally because they operate on single rows with proper WHERE clauses.

Search Engine Blocking

X-Robots-Tag Header is Set

Nginx adds X-Robots-Tag: noindex, nofollow, noarchive to prevent search engine indexing.

Test: curl -I https://your-domain.com — look for the X-Robots-Tag header.

Verify After 24 Hours

Search site:your-domain.com on Google. Should return no results.

Data Persistence & Backup

Docker Volume is Mounted

Verify /app/data is persisted: docker volume ls | grep queryglow

Backup Both Data AND .env

Your backup must include:

• data/connections.json — encrypted connection profiles
• data/saved-queries.json — saved SQL snippets
• data/query-history.json — query history (1,000 per connection)
• .env — CRITICAL: Contains SESSION_SECRET (encryption key)

Warning: Without the SESSION_SECRET from your .env file, you cannot decrypt saved database passwords. Back up .env separately and securely.

Verification Commands

Run these commands to verify your deployment:

# 1. HTTPS works

curl https://your-domain.com/api/health -u admin:password

# Should return: {"status":"ok"}

# 2. HTTP redirects to HTTPS

curl -I http://your-domain.com

# Should return: 301 redirect to https://

# 3. Auth is required

curl https://your-domain.com

# Should return: 401 Unauthorized

# 4. Port 3000 is NOT exposed (run from another machine)

curl http://your-server-ip:3000

# Should return: Connection refused

# 5. Database ports are closed

sudo ufw status | grep -E "5432|3306"

# Should return: nothing (ports not listed)

# 6. Safe Mode is ON

grep QUERYGLOW_ALLOW_DESTRUCTIVE .env

# Should return: false (or nothing = defaults to false)

What deploy.sh Configures Automatically

✓ HTTPS/SSL (Let's Encrypt)

✓ Basic Auth (bcrypt, 10 rounds)

✓ CSRF protection

✓ Safe Mode enabled

✓ AES-256-GCM credential encryption

✓ Network isolation (localhost only)

✓ Security headers (HSTS, X-Frame-Options)

✓ Search engine blocking

✓ AI rate limiting (30/min)

✓ Auth rate limiting (10/min)

See Security Overview for the complete security architecture.