docs: Remove reference to non-existent security script

The SECURITY.md referenced /opt/pulse/testing-tools/security-verification.sh
which does not exist. Replaced with a manual verification checklist.
This commit is contained in:
rcourtman 2025-12-02 23:47:21 +00:00
parent 8fd891a921
commit 44e91ac176

View file

@ -519,18 +519,14 @@ Navigate to **Settings → System → Monitoring** for visual representation of
- ❌ **DON'T**: Share API tokens between users/services
- ❌ **DON'T**: Embed credentials in client-side code
### Verification
Run the security verification script to ensure no plain text credentials:
```bash
/opt/pulse/testing-tools/security-verification.sh
```
This checks:
- No hardcoded credentials in code
- No credentials exposed in logs
- All passwords/tokens properly hashed
- Secure file permissions
- No credential leaks in API responses
### Verification Checklist
Manually verify your deployment follows security best practices:
- No hardcoded credentials in environment files
- No credentials exposed in logs (check `docker logs pulse`)
- All passwords stored as bcrypt hashes (60 characters, starting with `$2a$` or `$2b$`)
- All API tokens stored as SHA3-256 hashes (64 characters)
- Secure file permissions on `/etc/pulse/.env` (600)
- No credential leaks in API responses (test with `curl`)
## Account Lockout and Recovery