Security Hardening

Production dregg-node deployments should follow these hardening guidelines.

Key Management

• Set chmod 600 on node.key
• Run dregg-node as a dedicated service user (not root)
• In production, integrate with OS keychain or HSM for key storage

Network Security

• Place a TLS-terminating reverse proxy (nginx, caddy) in front of the HTTP API
• Restrict federation peer ports to known IPs with firewall rules
• The faucet endpoint (--enable-faucet) must NEVER be enabled in production

Rate Limiting

• Apply rate limits at the reverse proxy level for public-facing endpoints
• Delegated token reception validates size (64 KiB max) and structure
• STARK proof verification is computationally bounded (~2ms per proof)

Out of scope here

Sample systemd unit files, container seccomp / apparmor profiles, and a full deployment audit checklist ship with the operator release rather than these protocol docs. The items above plus standard reverse-proxy hygiene cover the practical attack surface; the missing pieces are operational ergonomics, not security primitives.