Product Safeguarding Guide

Key Management Services require strict rotation procedures to limit the blast radius of key exposures.

• Rotation Frequency: Rotate master encryption keys (KEKs) at a minimum frequency of 90 days. Sensitive operational environments should automate rotation every 30 days.
• Hardware Security Fallback: If HSM integrations are disabled, configure the software PKCS#11 simulator to load cryptographic materials purely from memory, ensuring credentials are never persisted in plaintext on VM disk space.
• Masked Audit Logs: Verify that `zap` logger configuration retains key-masking options, preventing key materials or envelope secrets from leaking into application stdout/stderr logs.

Argus Shield utilizes Proof-of-Work (PoW) JS challenges to stop coordinate scrapers, brute force attempts, and high-frequency Layer 7 DDoS vectors.

• Challenge Settings: Set challenge threshold to trigger when any single IP surpasses the 1-second request rate cap of 50 requests.
• Dynamic Rate Limits: Keep local in-memory fallback rate limiters active in the proxy configuration. If connection to Redis clustering is temporarily lost, Shield must automatically fall back to memory tables to prevent un-throttled ingress.
• DLP (Data Leak Prevention): Configure response body scanners to intercept and mask credit card PANs (Luhn-checked) and JWT formats in egress headers.

When performing reverse DNS enrichment on high-throughput log streams, network lookup timeouts can cause event backlog.

• DNS Cache Configuration: Pin cache TTL to a minimum of 1 hour and a maximum of 24 hours. This avoids repetitive queries for static server hosts while keeping network resolutions updated.
• Timeout Bounds: Restrict DNS resolver timeouts to exactly 2 seconds. This prevents slow DNS lookups from causing queue accumulation in the main ingestion line.
• Correlation Engine Load Shedding: Ensure the correlation queue has headroom. If internal memory occupancy exceeds 80%, Sentinel will drop low-priority severity logs (severity >= 6) to guarantee uptime.

Running an exit-node network requires granular control to restrict outbound tunnels and safeguard internal subnets.

• Exit-Node ACLs: Restrict outbound SOCKS5 connections to public IP spaces only. Explicitly reject routing to loopback targets (`127.0.0.0/8`, `::1`) and local private networks (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) to prevent server-side request forgery (SSRF).
• Auth Strategy: Enforce JWT or static bcrypt-based authentication strategy for upstream egress interfaces. Public/anonymous routing should be restricted to restricted sandboxed exit hosts.
• Inter-Service Communication: Always rotate decryption keys (`PROXY_DECRYPTION_PASSKEY`) and avoid sharing the same database instances with other production portals.