Connection security
Environment variables
Section titled “Environment variables”Using environment variables
Section titled “Using environment variables”Reference environment variables in connection strings:
adapters: production_db: connector: postgres connection_string: '{{ env.DATABASE_URL }}'Or construct from multiple variables:
adapters: production_db: connector: postgres connection_string: 'postgresql://{{ env.DB_USER }}:{{ env.DB_PASS }}@{{ env.DB_HOST }}:5432/{{ env.DB_NAME }}'Setting environment variables
Section titled “Setting environment variables”Local development:
export DATABASE_URL="postgresql://dev:dev@localhost:5432/myapp"hyperterse dev -f config.terseUsing .env files:
Hyperterse automatically loads .env files from the current directory when starting:
DATABASE_URL=postgresql://dev:dev@localhost:5432/myapp# No need to source - .env is loaded automaticallyhyperterse -f config.terseIn Docker:
ENV DATABASE_URL=postgresql://user:pass@db:5432/appSSL/TLS connections
Section titled “SSL/TLS connections”We recommend ensuring all production connections are encrypted.
PostgreSQL
Section titled “PostgreSQL”adapters: production_db: connector: postgres connection_string: 'postgresql://user:pass@host:5432/db?sslmode=require'SSL modes:
| Mode | Description | Use Case |
|---|---|---|
disable | No SSL | Non-production only |
require | SSL required, no verification | Cloud databases |
verify-ca | Verify CA certificate | High security |
verify-full | Verify CA and hostname | Highest security |
adapters: production_db: connector: mysql connection_string: 'user:pass@tcp(host:3306)/db?tls=true'Use rediss:// for TLS:
adapters: cache: connector: redis connection_string: 'rediss://:password@host:6379/0'Least privilege access
Section titled “Least privilege access”Create database users with minimal permissions:
PostgreSQL
Section titled “PostgreSQL”-- Create read-only userCREATE USER hyperterse WITH PASSWORD 'secure_password';
-- Grant only SELECT on specific tablesGRANT SELECT ON users, products, orders TO hyperterse;
-- For new tablesALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO hyperterse;-- Read-only accessCREATE USER 'hyperterse'@'%' IDENTIFIED BY 'secure_password';GRANT SELECT ON myapp.* TO 'hyperterse'@'%';Network security
Section titled “Network security”Private networks
Section titled “Private networks”Keep databases on private networks:
┌─────────────────────────────────────────────────────┐│ Private VPC ││ ││ ┌─────────────┐ ┌─────────────┐ ││ │ Hyperterse │────────▶│ Database │ ││ │ Server │ Private │ │ ││ └──────▲──────┘ Net └─────────────┘ ││ │ │└─────────┼───────────────────────────────────────────┘ │ Public ┌─────┴─────┐ │ Clients │ └───────────┘Firewall rules
Section titled “Firewall rules”- Allow Hyperterse to connect to database ports
- Block direct database access from the internet
- Restrict Hyperterse port (8080) to expected sources
Cloud examples
Section titled “Cloud examples”AWS:
- Use RDS in a private subnet
- Security groups allowing Hyperterse instances only
- Deploy Hyperterse in the same VPC
GCP:
- Use Cloud SQL with private IP
- VPC network for Hyperterse
- Firewall rules restricting access
Secrets management
Section titled “Secrets management”For production, use a secrets manager:
AWS secrets Manager
Section titled “AWS secrets Manager”# Fetch secret at runtimeexport DATABASE_URL=$(aws secretsmanager get-secret-value \ --secret-id prod/db/hyperterse \ --query SecretString --output text)
hyperterse run -f config.terseHashicorp vault
Section titled “Hashicorp vault”export DATABASE_URL=$(vault kv get -field=url secret/database)hyperterse run -f config.terseKubernetes secrets
Section titled “Kubernetes secrets”apiVersion: v1kind: Secretmetadata: name: hyperterse-secretsstringData: DATABASE_URL: postgresql://user:pass@db:5432/app---apiVersion: apps/v1kind: Deploymentspec: template: spec: containers: - name: hyperterse envFrom: - secretRef: name: hyperterse-secretsConnection pooling
Section titled “Connection pooling”Configure connection pools appropriately:
adapters: production_db: connector: postgres connection_string: '{{ env.DATABASE_URL }}' options: max_connections: '10' # Match expected concurrencySizing guidelines:
- Start with 5-10 connections per Hyperterse instance
- Monitor database connection usage
- Increase if you see connection wait times
Credential rotation
Section titled “Credential rotation”Plan for credential rotation:
- Create new database user with new password
- Update secrets manager
- Restart Hyperterse (connections are re-established)
- Revoke old credentials
For zero-downtime rotation, use multiple Hyperterse instances with rolling restarts.