David Le
Back to Blog
UncategorizedFebruary 17, 2026·4 min read

Security Architecture for InteropNimbus

InteropNimbus implements defense in depth across multiple layers: authentication, transport, network, and container security.

D

David Le

Security Layers

InteropNimbus implements defense in depth across multiple layers: authentication, transport, network, and container security.

Authentication & Authorization

OAuth 2.0 + OIDC via Keycloak

All authentication flows through Keycloak using OAuth 2.0 with OpenID Connect:

  • PKCE (S256) — prevents authorization code interception attacks, essential for SPAs
  • Short-lived tokens — access tokens expire quickly, with silent refresh before expiry
  • Session management — Keycloak manages sessions server-side; revoking a session immediately invalidates all tokens
  • Role-based access control — Keycloak realm roles map to frontend permissions

No Stored Credentials

InteropNimbus never stores passwords, API keys, or long-lived secrets. The Keycloak adapter handles all token storage in memory, and tokens are refreshed via Keycloak's token endpoint.

Transport Security

HTTPS Everywhere

Traefik enforces HTTPS on all routes with automatic HTTP-to-HTTPS redirection:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

Let's Encrypt certificates are automatically provisioned and renewed. No manual certificate management.

CORS Configuration

API servers whitelist specific origins. InteropNimbus at interopnimbus.davidle.dev can only call APIs that have explicitly allowed this origin, preventing cross-origin attacks.

Container Security

Docker Network Isolation

Services are segmented into separate Docker networks. The frontend container only has access to the proxy network — it cannot directly reach database containers or internal services.

Resource Constraints

Production containers specify CPU and memory limits to prevent resource exhaustion:

  • Memory limits prevent OOM from affecting other services
  • CPU limits ensure fair scheduling
  • Health checks enable automatic restart on failure

Read-Only Where Possible

Static file serving containers like InteropNimbus don't need write access to the filesystem. The Nginx container serves pre-built static files with no runtime write operations.

Keycloak Hardening

The Keycloak instance itself is hardened:

FROM quay.io/keycloak/keycloak:26.0 AS builder
ENV KC_DB=postgres
ENV KC_METRICS_ENABLED=true
ENV KC_HEALTH_ENABLED=true
RUN /opt/keycloak/bin/kc.sh build
  • Optimized build — the builder stage pre-compiles Keycloak's Quarkus runtime, reducing startup time and attack surface
  • PostgreSQL backend — production-grade database instead of embedded H2
  • Health and metrics — exposed for monitoring, but on a separate port from the auth endpoints

What's Not Yet Implemented

Transparency about current limitations:

  • CSP headers — Content Security Policy headers are planned but not yet configured on the Nginx layer
  • Rate limiting — Traefik middleware for rate limiting is planned for the next iteration
  • Audit logging — Keycloak audit events are enabled but not yet forwarded to a centralized log system

Building InteropNimbus — Part 6 of 8

PreviousNext

Related Projects

Featured

FhirHub

An open-source clinical data platform built on FHIR R4 that unifies patient demographics, vitals, labs, medications, and conditions into a single interface with SMART on FHIR authentication and role-based access.

Next.js
React
TypeScript
.NET 8
+9
View Details
Featured

InteropNimbus

A healthcare interoperability monitoring dashboard for Mirth Connect and HAPI FHIR. Provides real-time channel health, message tracing, and FHIR gateway visibility with enterprise SSO via Keycloak.

React 19
TypeScript
Vite 7
Tailwind CSS v4
+6
View Details
View all projects →