Production Security

Production Security & HTTPS

When moving EventLens to production, you should lock down its read access and user endpoints.

1. Database Read-Only Access

Never grant EventLens write or owner permissions. Create a tight, read-only PostgreSQL role for the view schemas:

CREATE ROLE eventlens_ro LOGIN PASSWORD 'strong_password';
GRANT CONNECT ON DATABASE eventlens_dev TO eventlens_ro;
GRANT USAGE ON SCHEMA public TO eventlens_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO eventlens_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO eventlens_ro;

2. API Authentication

If deploying in a shared environment, enable Basic Auth in your eventlens.yaml:

server:
  auth:
    enabled: true
    username: admin
    password: changeme

3. HTTPS is Required

Basic authentication transmits credentials in plain Base64. You must deploy EventLens behind a reverse proxy (like Nginx, Traefik, or Caddy) that serves as your TLS/HTTPS termination point.

4. Lock Down CORS

For production, update server.allowed-origins to explicitly match your environment domain instead of a default or wildcard.

Return Home

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Production Security

Production Security & HTTPS

1. Database Read-Only Access

2. API Authentication

3. HTTPS is Required

4. Lock Down CORS

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally