Private Documentation Strategy
Assessment: What's Sensitive?
🔴 Highly Sensitive (Should be Private)
-
Deployment Guides (
deployment/staging.md,deployment/production.md)- AWS account structure
- VPC IDs, security group configurations
- Infrastructure architecture details
- Resource naming conventions
- Internal setup procedures
-
CI/CD Configuration (
deployment/ci-cd.md)- GitHub Actions workflow details
- IAM policy configurations
- Deployment procedures
-
Security Documentation (
reference/security.md)- Security audit findings
- Vulnerability details
- Security best practices
-
IAM Configuration (
reference/iam.md)- IAM policy details
- Permission structures
🟡 Moderately Sensitive (Could be Public with Redaction)
-
API Endpoints (
api/endpoints.md)- Public API documentation (usually fine to be public)
- But exposes internal structure
-
Infrastructure Details (
infrastructure/)- Database schema (could be useful for attackers)
- Entity relationships
🟢 Safe to be Public
-
Getting Started (
getting-started/)- Installation instructions
- Local development setup
- Docker setup
-
API Authentication (
api/authentication.md)- Public authentication flow (standard OAuth2)
-
Feature Documentation (
features/)- Feature descriptions
- Usage guides
Options
Option 1: Public GitHub Pages + Sanitize Sensitive Info ⚠️ Not Recommended
Approach: Keep docs public but remove sensitive details
Pros:
- Free
- Easy setup
- Automatic deployment
Cons:
- Still exposes architecture
- Easy to accidentally commit sensitive info
- No access control
- Competitors can see your infrastructure
Verdict: ❌ Not recommended - Too risky for deployment docs
Option 2: Split Documentation (Recommended) ✅
Approach:
- Public: API docs, getting started, features
- Private: Deployment, security, infrastructure details
Implementation:
- Keep public docs on GitHub Pages
- Move sensitive docs to private location:
- Private GitHub repo (separate repo)
- Internal wiki (Confluence, Notion)
- Password-protected site
- VPN/internal network
Pros:
- Best of both worlds
- Public API docs help developers
- Private deployment docs stay secure
- Flexible
Cons:
- Need to maintain two locations
- More complex setup
Verdict: ✅ Recommended - Best balance
Option 3: Cloudflare Pages/Vercel with Private Repo (Free) ✅
Approach: Use Cloudflare Pages or Vercel to deploy from private GitHub repo
Setup:
- Connect private GitHub repo to Cloudflare Pages/Vercel
- Deploy automatically via GitHub Actions
- Can add password protection
- Free for private repos
Pros:
- Free
- Private repo support
- Password protection available
- Automatic deployment via GitHub Actions
- Custom domain support
- Fast global CDN (Cloudflare)
Cons:
- External service dependency
- Need to migrate from GitHub Pages
Verdict: ✅ Good Option - Free private hosting with fast CDN
Option 4: Self-Hosted MkDocs with Authentication
Approach: Host MkDocs yourself with basic auth
Options:
- Cloudflare Access (free tier)
- Nginx with basic auth
- Cloudflare Tunnel (free)
- AWS CloudFront with WAF
Pros:
- Full control
- Can use existing infrastructure
- Various auth options
Cons:
- More setup/maintenance
- Need to manage hosting
Verdict: ⚠️ If you have infrastructure - Good option
Option 5: GitHub Enterprise (Expensive)
Approach: Upgrade to GitHub Enterprise
Pros:
- Private GitHub Pages
- All GitHub features
- Enterprise support
Cons:
- $21/user/month (very expensive)
- Overkill for this use case
Verdict: ❌ Not recommended - Too expensive
Recommended Solution: Option 2 (Split Documentation)
Implementation Plan
Step 1: Create Private Documentation Repo
Create a new private repository: FishingLog.Backend-Docs-Private
Move these files there:
docs/deployment/(all deployment guides)docs/reference/security.mddocs/reference/iam.mddocs/infrastructure/(infrastructure details)
Step 2: Keep Public Docs on GitHub Pages
Keep these public:
docs/getting-started/docs/api/(API documentation)docs/features/(feature docs)docs/frontend/(frontend guides)docs/testing/(testing guides)
Step 3: Update Public Docs
Add note in public docs:
> **Note:** Deployment and infrastructure documentation is available privately.
> Contact the team for access.
Step 4: Deploy Private Docs
Options for private docs:
- Option A: Netlify/Vercel (free, password protection)
- Option B: Internal wiki (Confluence, Notion)
- Option C: Cloudflare Access (free tier)
- Option D: Simple password-protected site
Quick Win: Cloudflare Pages with Password Protection
Easiest solution - Move sensitive docs to Cloudflare Pages:
- Create private repo:
FishingLog.Backend-Docs-Private - Move sensitive docs there
- Connect to Cloudflare Pages:
- Import from GitHub (or use GitHub Actions)
- Build command:
npm run build(for Docusaurus) orpip install -r requirements-docs.txt && mkdocs build(for MkDocs) - Publish directory:
build(Docusaurus) orsite(MkDocs)
- Add password protection:
- Cloudflare Pages → Settings → Access → Password Protection
- Set password
- Deploy automatically on push via GitHub Actions
Result:
- Public API docs:
https://JamesWJager.github.io/FishingLog.Backend/ - Private deployment docs:
https://fishinglog-docs-private.pages.dev(password protected)
Alternative: Sanitize and Keep Public
If you want to keep everything public, sanitize:
-
Remove sensitive details:
- Replace AWS account IDs with placeholders
- Remove VPC IDs
- Remove specific resource names
- Use environment variables in examples
-
Add warnings:
> ⚠️ **Note:** This documentation contains example configurations.
> Replace placeholders with your actual values. -
Use placeholders:
YOUR_AWS_ACCOUNT_IDYOUR_VPC_IDYOUR_DOMAIN.com
Verdict: ⚠️ Risky - Still exposes architecture
My Recommendation
Go with Option 2 (Split) + Cloudflare Pages for Private Docs:
- ✅ Keep public API docs on GitHub Pages
- ✅ Move deployment docs to private Cloudflare Pages site with password
- ✅ Best of both worlds
- ✅ Free
- ✅ Easy to maintain
- ✅ Fast global CDN
Would you like me to:
- Set up the split structure?
- Create a Cloudflare Pages configuration?
- Sanitize the public docs?
Decision Matrix:
| Option | Cost | Security | Ease | Recommendation |
|---|---|---|---|---|
| Public + Sanitize | Free | ⚠️ Low | Easy | ❌ Not recommended |
| Split (Public + Private) | Free | ✅ High | Medium | ✅ Best |
| Cloudflare Pages Private | Free | ✅ High | Easy | ✅ Good |
| Self-Hosted | Variable | ✅ High | Hard | ⚠️ If you have infra |
| GitHub Enterprise | $21/user | ✅ High | Easy | ❌ Too expensive |