Skip to main content

Production Checklist

Securityโ€‹

  • RSA signing key loaded from a secrets manager (not generated ephemerally on startup)
  • RSA_SIGNING_KEY_JWK or keystore path configured and tested
  • Key rotation procedure documented and tested
  • All passwords (DB_PASSWORD, keystore password) in environment variables โ€” not in application.yml
  • spring.jpa.show-sql: false in production profile
  • logging.level.com.ajfhir.auth: INFO in production (not DEBUG)
  • HTTPS enforced on all endpoints โ€” TLS terminated at load balancer or nginx

Databaseโ€‹

  • PostgreSQL 15+ (not H2) โ€” set DB_URL, DB_USER, DB_PASSWORD
  • spring.jpa.hibernate.ddl-auto: validate (not update) in production
  • Flyway migrations enabled for schema management
  • Database connection pool sized for expected load
  • Backups configured for the registered_app and launch_context tables

Registered clientsโ€‹

  • All test clients removed or disabled (active = false)
  • Production redirect_uri values use HTTPS
  • allowed_scopes restricted to minimum needed per app

SMART configurationโ€‹

  • smart.server.issuer-url matches the public-facing HTTPS URL
  • smart.server.fhir-base-url matches the HAPI FHIR server's public URL
  • /.well-known/smart-configuration reachable from the FHIR base URL (proxy configured)
  • access-token-ttl-seconds reviewed (default 3600 s โ€” 1 hour)
  • refresh-token-ttl-seconds reviewed (default 86400 s โ€” 24 hours)

Multi-instanceโ€‹

  • Persistent RSA key shared across all instances
  • Session store (Redis or database) if running more than one instance
  • Health check endpoint (/actuator/health) responding on all instances

Monitoringโ€‹

  • Actuator health check exposed to load balancer
  • Log aggregation configured (stdout โ†’ Fluentd/CloudWatch/Splunk)
  • Alert on failed token exchanges (repeated invalid_grant suggests key mismatch or clock skew)
  • Alert on LaunchTokenException spikes (may indicate replay attacks)

HIPAAโ€‹

  • PHI in launch tokens (patient FHIR ID) encrypted at rest in PostgreSQL
  • Launch token purge scheduled and verified (@Scheduled purge every 10 minutes)
  • Access logs retained per organisational retention policy
  • BAA signed with cloud provider if tokens transit their infrastructure

โ† Deployment