# Database security checklist
- Private network placement and deny-by-default firewall rules.
- TLS for client, replication, and administrative traffic.
- SCRAM for PostgreSQL; ACL users for Redis; API keys and TLS for Qdrant.
- Separate application, migration, backup, and observability identities.
- Row-level security for tenant-owned relational rows.
- Secret rotation, audit retention, patch cadence, and restore drills.
- No production secret is stored in this ZIP.
