Securing your Application

At Sherpa.sh, we take security seriously. This document outlines our recommended security practices and integrations to help you protect your applications and infrastructure from common threats. Following these guidelines will help ensure your projects deployed through Sherpa.sh remain secure and reliable.

Sherpa.sh Infrastructure Security

At Sherpa.sh, we maintain robust security across all infrastructure layers to provide you with a secure platform for your applications. These are things sherpa.sh takes care of for you, that you would have to do if you had your own servers (using something like Coolify or Dokku). Our comprehensive approach includes:

1. Operating System Security

   • Regular patching and updates for all server operating systems

   • Principle of least privilege for system access

   • Regular security scans and vulnerability assessments

2. Network Security

   • Network segmentation to isolate critical systems

   • DDoS protection at the edge

   • Real-time network monitoring for suspicious activity

3. SSL/TLS Implementation

   • TLS 1.3 and strong cipher suites enforced

   • Automatic certificate rotation before expiration

   • HSTS (HTTP Strict Transport Security) enabled by default

4. Data Protection

   • Encryption of all data in transit

   • Secure backup systems with encryption

   • Data isolation between customers

5. Continuous Security Monitoring

   • 24/7 monitoring of all infrastructure components

   • Automated alerts for security anomalies

   • Incident response team on standby

We manage these security measures behind the scenes so you can focus on developing your applications without worrying about infrastructure security. This approach allows us to maintain a secure environment while providing the flexibility and resources you need for your projects.

Sherpa.sh Platform Security Best Practices

Secure Your Account

1. Enable Two-Factor Authentication (2FA)

   • Enable 2FA on your Sherpa.sh account immediately to prevent unauthorized access

   • Use an authenticator app (like Google Authenticator or Authy) rather than SMS when possible

   • Store recovery codes securely in a password manager or other secure location

2. Strong Password Practices

   • Use a unique, complex password for your Sherpa.sh account

   • Change your password periodically, especially after suspected security incidents

Environment Variables and Secrets Management

1. Never Commit Secrets to Your Repository

   • Store sensitive information like API keys, database credentials, and access tokens as environment variables in Sherpa.sh
2. Secure Environment Variable Handling

   • Use the principle of least privilege - only expose variables to services that need them

GitHub Repository Security

1. Enable Branch Protection Rules

   • Navigate to your repository on GitHub → Settings → Branches → Add rule

   • Protect your main/production branch with these settings:

     • Require pull request reviews before merging

     • Require status checks to pass before merging

     • Require signed commits

     • Do not allow bypassing the above settings

   • GitHub Branch Protection Documentation
2. Limit Repository Access

   • Review collaborators regularly and remove unnecessary access

   • Use teams with appropriate permission levels instead of individual access

   • Consider implementing a CODEOWNERS file to ensure proper code review coverage

3. Secure Continuous Integration/Deployment

   • Implement security scanning in your CI/CD pipeline

   • Scan dependencies for vulnerabilities before deployment

   • Consider implementing automated security testing

Application Hardening

1. Regular Security Updates

   • Keep all frameworks and libraries up-to-date

   • Subscribe to security bulletins for your technology stack

2. Security Headers and Configuration

   • Set appropriate security headers like Content-Security-Policy, X-XSS-Protection, etc.

   • Configure proper CORS settings to restrict cross-origin requests

   • Implement proper input validation and sanitization

   • Enable CSRF protection for all forms

Additional Application Protection with Arcjet

If you want additional application security, we recommend using Arcjet in your project.

Why Arcjet?

Arcjet has been architected around a few key principles:

• Security protections are placed alongside the code they're protecting, ensuring full application context

• Security rules are easy to test in both development and production environments

• Integration is simple, adds minimal latency, and requires no architectural changes

Core Security Features

Arcjet provides several key security primitives that can be used independently or combined:

1. Shield - Protection against common attacks, including those in the OWASP Top 10

2. Rate Limiting - Control the number of requests from a client over a time period

3. Bot Protection - Detect and block automated clients, including AI scrapers

4. Email Validation & Verification - Verify email address validity

5. Sensitive Information Protection - Prevent unwanted PII submission

To learn more about Arcjet's security features, visit their documentation.

Security Updates and Support

For security concerns or questions, please contact our security team at security@sherpa.sh.