Skip to content

Week 7 - Security, secrets, and deployment automation

During this week you will focus on improving the security and deployment practices of your application. This includes preventing common web vulnerabilities, managing secrets securely, and setting up automated deployment to a virtual machine environment.

Development requirements

Security becomes increasingly important as your application grows. The goal of this week is to ensure that your app adheres to secure coding standards and is safe to expose publicly.

Conflicting requirements

If user stories from different weeks conflict with each other, the newest week's user story takes precedence.
Security and deployment requirements introduced here override earlier configurations if needed.

As a developer, I want to ensure that my application cannot be exploited through XSS attacks so that user data and the system remain secure.
  • The application must not be vulnerable to Cross-Site Scripting (XSS).
  • Validate and sanitize all user input both on the frontend and backend.
  • When displaying user-generated content, make sure it is properly escaped.
  • Avoid directly inserting untrusted HTML into the DOM or responses.

Operational requirements

This week focuses on operational security and automated delivery.

  • Implement secrets detection in your CI/CD pipeline.

    • Secrets (API keys, passwords, tokens, etc.) must not appear in pipeline logs or environment variables printed to stdout/stderr.
    • Use your CI/CD platform’s secret management tools to store sensitive information.
    • Add automated checks to prevent accidental secret exposure in commits or build stages.

  • If you have not done it already, set up automatic deployment to a virtual machine.

    • When a new version is pushed to the main branch (or another designated branch), it should trigger a deployment job.
    • The deployment must:
      • Transfer the new application build or container to the VM.
      • Restart or reload the service automatically.
    • Document how deployment is triggered and verified.

Documentation requirements

What we expect your documentation to include?

Your documentation this week should describe how the system operates securely and how it is deployed automatically.

How the virtual machine is configured

  • Operating system and main dependencies.
  • How the application runs on it (e.g., service manager, Docker container, etc.).

How the application is accessed

  • What URL, IP, or port it is available through.
  • Whether it uses HTTPS and how certificates are managed (if applicable).

All stages of your CI/CD pipeline

  • What each stage does (build, test, secrets check, deploy, etc.).
  • Where secrets are stored and how they are accessed securely.
  • How automatic deployment works end-to-end.

Summary of everything that changed

  • Any new security measures added (XSS prevention, secrets detection).
  • How deployment differs from the earlier phase.
  • Any changes in the infrastructure, build process, or service configuration.

Tasks

  • Secure your application:
    • Prevent XSS vulnerabilities.
  • Protect your secrets:
    • Implement secret detection and ensure secrets are not exposed in pipelines or logs.
  • Automate your deployment:
    • Configure the pipeline to deploy the application automatically to a virtual machine.
  • Update your documentation:
    • Include detailed explanations of the VM setup, deployment process, and any system changes from previous phases.