Audit, harden, and monitor your nSelf instance. Security is always free — every hardening feature runs automatically on install, update, and deploy with no license required.
# Run a full security audit
nself security audit
# Check current security posture at a glance
nself security status
# Apply baseline hardening to a fresh install
nself security setupnself security <SUBCOMMAND> [FLAGS]The security command exposes nSelf's built-in hardening suite. Every check it runs is also executed automatically at four points in the nSelf lifecycle: on nself install, on nself update, on nself deploy, and daily via a scheduled cron job. You never have to remember to run it — but you can run it manually any time.
Critical findings block a deploy by default. Pass --force with a written justification to override a block. The justification is logged to the audit trail.
All security features — rate limiting, MFA throttling, SSRF guard, JWT key rotation, WAF basics, audit logs, encryption-at-rest config, and this SIEGE regression suite — are in the free tier. No paid bundle unlocks security.
Run a full hardening audit across all active services. Checks RLS policies, rate limits, JWT rotation, CORS config, SSRF guards, TLS grades, and exposed ports. Prints a PASS / WARN / FAIL verdict per check.
nself security audit
nself security audit --format json
nself security audit --only rls,tls| Flag | Type | Default | Description |
|---|---|---|---|
--format | string | text | Output format: text or json |
--only | string | all | Comma-separated list of check groups to run |
--force | bool | false | Continue even if critical findings exist (logged to audit trail) |
Print a one-line summary of the last audit result and when it ran. Useful for a quick sanity check without re-running the full suite.
nself security status
# Last audit: 2026-05-07 03:00 UTC — PASS (0 critical, 0 high, 2 warnings)Apply baseline hardening to a fresh nSelf install. Enables RLS on all np_* tables, rotates the default Hasura admin secret, configures CORS, enables rate limiting, and sets JWT rotation to 90 days.
nself security setup
nself security setup --skip jwt-rotation| Flag | Type | Default | Description |
|---|---|---|---|
--skip | string | none | Comma-separated list of setup steps to skip |
--dry-run | bool | false | Show what would be applied without making changes |
Run a targeted scan against a specific check group or a single service. Faster than a full audit when you just patched one area.
nself security scan --check rls
nself security scan --service hasura
nself security scan --check tls --service nginx| Flag | Type | Default | Description |
|---|---|---|---|
--check | string | all | Check group: rls, tls, cors, rate-limit, jwt, ssrf, ports |
--service | string | all | Restrict scan to a single service |
--format | string | text | Output format: text or json |
| Group | What it checks |
|---|---|
rls | Row-Level Security enabled on all np_* tables; Hasura row filters present |
tls | TLS grade (A minimum), certificate expiry (>14 days), HSTS header |
cors | No wildcard origins in production, preflight caching configured |
rate-limit | Auth endpoints throttled, Nginx rate-limit zones active |
jwt | JWT key is not the default, rotation schedule configured |
ssrf | SSRF guard middleware active on all inbound webhook paths |
ports | No internal service ports exposed externally; only 80/443 reachable |
The full audit runs automatically at these lifecycle points. You do not need to schedule it.
When nself deploy finds a CRITICAL finding, it halts before switching traffic. To override:
nself deploy --force --force-reason "RLS will be applied post-deploy via migration"
# Justification is appended to the audit trail at logs/security-audit.logNSELF_SECURITY_AUDIT_CRON — override the daily cron schedule (default: 0 3 * * *)NSELF_SECURITY_AUDIT_LOG — path to the audit log file (default: logs/security-audit.log)NSELF_SECURITY_BLOCK_ON_CRITICAL — set to false to disable deploy blocking (not recommended)0 — all checks passed1 — one or more HIGH or CRITICAL findings2 — invalid arguments or scan could not run