Best Practices
Security Hardening
Implement security best practices for your Game Framework deployment.
Authentication
1. Use Strong Tokens
# ✓ Good - long, random tokens
GF_PUB_TOKEN="gf_live_abc123def456..."
# ✗ Bad - short, predictable
GF_PUB_TOKEN="password123"2. Rotate Regularly
# Rotate API keys every 90 days
# Rotate user tokens daily (automatic)3. Minimum Permissions
{
"permissions": ["packages.read", "versions.create"]
}Network Security
1. IP Allowlisting
curl -X PATCH https://registry.yourcompany.com/v1/workspaces/ws_ID/settings \
-H "Authorization: Bearer $TOKEN" \
-d '{"ip_allowlist": ["203.0.113.0/24"]}'2. TLS Only
Always use HTTPS:
# ✓ Good
https://registry.yourcompany.com
# ✗ Bad
http://registry.yourcompany.com3. VPC/Private Network
Deploy in private network (Enterprise).
Access Control
1. Enable 2FA
curl -X PATCH https://registry.yourcompany.com/v1/workspaces/ws_ID/settings \
-d '{"require_2fa": true}'2. Least Privilege
Grant minimum necessary permissions.
3. Regular Audits
Review access quarterly:
curl https://registry.yourcompany.com/v1/workspaces/ws_ID/audit-logsSecret Management
1. Never Commit Secrets
# .gitignore
.env
.env.local
*.key
secrets/2. Use Secret Managers
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
- GCP Secret Manager
3. Environment Variables
# ✓ Good
export GF_PUB_TOKEN=$(cat ~/.secrets/token)
# ✗ Bad
export GF_PUB_TOKEN="gf_live_hardcoded..."Best Practices
- Strong authentication - Tokens, 2FA
- Network isolation - VPC, IP allowlist
- Encryption - TLS, at-rest encryption
- Audit logging - Track all actions
- Regular updates - Keep software current
- Backup encryption - Encrypted backups
- Incident response - Have a plan