HeliosLogs

Appearance

Security hardening

This page consolidates the security-relevant controls into one operator checklist, with links to the detailed pages. HeliosLogs speaks plain HTTP and binds to loopback by default — most hardening is about what you change before exposing it.

Many of the hardening knobs below — session lifetime, retention, and the runtime/FIPS status — live in Admin → General:

General settings, where several hardening-relevant server tunables live

Network exposure

  • HeliosLogs does not terminate TLS. Put it behind a TLS-terminating reverse proxy.
  • It binds 127.0.0.1 by default; only use --host 0.0.0.0 behind a proxy or trusted network. See Running HeliosLogs.
  • The syslog listener and any exposed ingest endpoints are separate attack surfaces — restrict them at the network layer.

Authentication & sessions

  • Set a strong admin password (or bootstrap one with HELIOS_ADMIN_PASSWORD).
  • Consider a shorter session lifetime (HELIOS_AUTH_TOKEN_TTL_HOURS) than the 7-day default.
  • Use SAML SSO for centralized identity; keep an admin password as break-glass.
  • Remember that changing a password revokes that user's sessions immediately. See Authentication.

Authorization (least privilege)

  • Scope standard users with the RBAC allowlist instead of granting full access.
  • Issue standard (not admin) API keys for integrations, with an expiry.
  • Scope the MCP server with an env/index allowlist and a tool allowlist, and set its auth token.

Ingestion

  • Turn on require-auth and issue scoped ingest tokens so only authorized shippers can write, each pinned to an env/index.

Encryption & secrets

  • Control-plane data is encrypted at rest (AES-256-GCM), on by default.
  • Back up the control-plane key and JWT secret, store them outside --data-dir, and (for a cluster) make them identical on every node. Losing the control key = losing the control plane. See Secrets & encryption.
  • For regulated environments, run the FIPS 140-3 build and confirm AWS-LC FIPS 140-3 (active) in the runtime-config view.

Outbound safety

  • Alert webhooks are validated against SSRF — private, loopback, and link-local targets are blocked.

Audit & monitoring

  • Use self-observability (_helioshttp, _helioslogs, _heliosmcp) to watch access patterns, errors, and MCP activity — and alert on them.

Hardening checklist

  • [ ] Behind a TLS-terminating reverse proxy; not bound to 0.0.0.0 on an untrusted network.
  • [ ] Strong admin credentials; SSO configured if applicable; sensible token TTL.
  • [ ] Standard users scoped with RBAC allowlists.
  • [ ] Ingest auth required; shippers using scoped tokens.
  • [ ] MCP scoped (auth token + env/index/tool allowlists) or disabled.
  • [ ] API keys least-privilege, expiring, rotated.
  • [ ] Control key + JWT secret backed up, outside the data dir, shared across nodes.
  • [ ] Retention set so data ages out; FIPS build where required.
© 2026 Appbird LLC. All rights reserved.