Security Guide¶
Last Updated: December 2025
Status: Security Best Practices
This guide covers security best practices, API key management, and security considerations for the Trading System.
Overview¶
Security is paramount in trading systems, especially when handling API keys, financial data, and system access. This guide provides comprehensive security practices for protecting your trading system.
API Key Management¶
Environment Variables¶
Never commit API keys to version control. Always use environment variables stored in .env files that are excluded from Git.
Best Practices¶
-
Use
.envFiles:# Add to .gitignore .env .env.local .env.*.local -
Template Files:
- Keep
deployment/env.exampleas a template - Never include actual keys in example files
-
Use placeholder values
-
Environment Variable Security:
# Good: Use strong, unique keys ALPACA_API_KEY=your_api_key_here ALPACA_SECRET_KEY=your_secret_key_here # Set proper file permissions (Linux/Mac) chmod 600 .env
API Key Rotation¶
- Regular Rotation: Rotate API keys periodically (every 90 days recommended)
- Immediate Revocation: Revoke keys immediately if compromised
- Separate Keys: Use different keys for development, staging, and production
- Paper Trading First: Always use paper trading API keys for testing
Alpaca API Keys¶
- Account Security:
- Enable two-factor authentication (2FA) on your Alpaca account
- Use paper trading keys for development
-
Limit API key permissions when possible
-
Key Storage:
# Store in .env file (not in code) ALPACA_API_KEY=PKxxxxxxxxxxxxx ALpACA_SECRET_KEY=xxxxxxxxxxxxxxxxxxxx ALPACA_BASE_URL=https://paper-api.alpaca.markets -
Key Validation:
- Never share API keys in logs or error messages
- Mask keys in debug output
- Validate keys before use
Polygon.io API Keys¶
-
Key Management:
POLYGON_API_KEY=your_polygon_key -
Rate Limiting:
- Respect rate limits to avoid key revocation
- Monitor API usage
- Implement backoff strategies
Database Security¶
Connection Security¶
- Strong Passwords:
- Use complex passwords for PostgreSQL users
- Change default passwords immediately
-
Use password managers
-
Connection Strings:
# Use environment variables, never hardcode POSTGRES_URL=postgresql://user:password@localhost:5432/trading_system -
SSL/TLS:
- Enable SSL for production databases
- Use connection pooling securely
- Restrict database access by IP when possible
Database Access Control¶
- User Permissions:
- Use least-privilege principle
- Create separate users for different services
-
Revoke unnecessary permissions
-
Schema Isolation:
- Use schema-based isolation (already implemented)
- Limit cross-schema access
- Use row-level security (RLS) when appropriate
Application Security¶
Code Security¶
- Dependencies:
- Regularly update dependencies
- Check for known vulnerabilities:
pip audit -
Use pinned versions in
requirements.txt -
Input Validation:
- Validate all user inputs
- Use Pydantic models for data validation
-
Sanitize inputs before database queries
-
SQL Injection Prevention:
- Always use parameterized queries (SQLAlchemy ORM does this)
- Never concatenate user input into SQL queries
- Use ORM methods instead of raw SQL when possible
Authentication & Authorization¶
- API Authentication (Future):
- Implement API key authentication for production
- Use JWT tokens for user sessions
-
Implement rate limiting
-
Streamlit Security:
- Run Streamlit on localhost for development
- Use authentication for production deployments
- Enable HTTPS for production
Secrets Management¶
- Configuration Files:
- Never commit secrets to Git
- Use environment variables
-
Consider using secrets management services for production
-
Logging:
- Never log API keys or secrets
- Sanitize sensitive data in logs
- Use log levels appropriately
Network Security¶
Local Deployment¶
- Firewall:
- Restrict database ports (5432) to localhost
- Use Redis authentication
-
Limit service exposure
-
Port Security:
- Run services on localhost when possible
- Use reverse proxy for production
- Enable HTTPS for external access
API Security¶
- HTTPS:
- Always use HTTPS for production
- Validate SSL certificates
-
Use strong ciphers
-
CORS:
- Configure CORS properly for FastAPI
- Restrict allowed origins
- Use appropriate headers
Data Security¶
Data Encryption¶
- At Rest:
- Enable PostgreSQL encryption at rest
- Encrypt backups
-
Secure file storage
-
In Transit:
- Use HTTPS/TLS for all connections
- Use encrypted database connections
- Secure WebSocket connections
Data Privacy¶
- Personal Information:
- Minimize data collection
- Follow GDPR/privacy regulations
-
Secure user data
-
Trading Data:
- Protect trading strategies
- Secure historical data
- Control data access
Best Practices Summary¶
Do's ✅¶
- ✅ Store all secrets in environment variables
- ✅ Use
.envfiles excluded from Git - ✅ Rotate API keys regularly
- ✅ Use paper trading keys for development
- ✅ Enable 2FA on all accounts
- ✅ Keep dependencies updated
- ✅ Use strong passwords
- ✅ Validate all inputs
- ✅ Log errors, not secrets
- ✅ Use HTTPS for production
Don'ts ❌¶
- ❌ Never commit API keys to Git
- ❌ Don't hardcode secrets in code
- ❌ Don't share API keys
- ❌ Don't log sensitive information
- ❌ Don't use production keys for development
- ❌ Don't disable security features
- ❌ Don't ignore security warnings
- ❌ Don't use default passwords
- ❌ Don't expose services unnecessarily
- ❌ Don't skip input validation
Incident Response¶
If API Keys Are Compromised¶
- Immediate Actions:
- Revoke compromised keys immediately
- Generate new keys
- Review recent API activity
-
Check for unauthorized trades
-
Prevention:
- Review access logs
- Update security practices
- Notify affected services
Security Monitoring¶
- Log Monitoring:
- Monitor for authentication failures
- Watch for unusual API activity
-
Check database access logs
-
Alerts:
- Set up alerts for failed logins
- Monitor API rate limit violations
- Track unusual trading activity
Additional Resources¶
Important: Security is an ongoing process. Regularly review and update your security practices. When in doubt, err on the side of caution.