PolitikTok

Appearance

CORS & Security

Security configuration for your PolitikTok deployment.

CORS Configuration

Cross-Origin Resource Sharing settings control which domains can access the PolitikTok API.

VariableDefaultDescription
APP__CORS_ORIGINShttp://localhost:9000Comma-separated allowed origins

In production, set this to your actual domain:

APP__CORS_ORIGINS=https://politiktok.yourdomain.com

Authentication Security

PolitikTok uses Keycloak for OpenID Connect (OIDC) authentication with PKCE flow.

VariableDescription
KEYCLOAK__URLKeycloak server URL
KEYCLOAK__REALMRealm name
KEYCLOAK__CLIENT_IDOIDC client ID
KEYCLOAK__CLIENT_SECRETOIDC client secret (optional with PKCE)

Session Management

Sessions are stored server-side. Session cookies use:

  • HttpOnly flag (prevents JavaScript access)
  • Secure flag (HTTPS only in production)
  • SameSite=Lax (CSRF protection)

Role-Based Access Control

PolitikTok supports role-based access through Keycloak realm roles:

RoleAccess Level
adminFull access including admin panel
managerAll modules, no admin panel
analystRead-only access to analytics modules
volunteerLimited access to assigned modules

Security Headers

When using a reverse proxy, add these security headers:

nginx
# Nginx example
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.tailwindcss.com cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net fonts.googleapis.com; font-src fonts.gstatic.com;" always;

Secret Management

DANGER

Never commit secrets to version control. Use environment variables or a secrets manager.

Required secrets:

SecretWhere Used
DATABASE__URLPostgreSQL connection (contains password)
KEYCLOAK__CLIENT_SECRETOIDC authentication
LLM API keysIf using a remote LLM provider

For production, consider using:

  • Docker secrets
  • HashiCorp Vault
  • Cloud provider secret managers (AWS SSM, GCP Secret Manager)