Gouvernance des domaines & emails
Version : 1.0 Classification : Document officiel - Configuration production
Domaines racines officiels
| Domaine | Fonction principale | Perimetre |
|---|---|---|
| mytelevision.tv | Marque, Communication, Utilisateurs, Emails | Front-office, Identite |
| mytelevision.app | API, Backend, Services applicatifs | Back-office, Technique |
| mytelevision.stream | Streaming, Diffusion media | Infrastructure media |
Regle absolue
Aucun autre domaine ou TLD ne sera utilise. Ces trois domaines constituent la source de verite du projet.
Architecture des sous-domaines
Frontend public
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
www.mytelevision.tv | mytelevision.tv | Site web principal, landing pages | Public |
mytelevision.tv | mytelevision.tv | Redirection vers www | Public |
app.mytelevision.tv | mytelevision.tv | Application web (SPA) | Public |
m.mytelevision.tv | mytelevision.tv | Version mobile web | Public |
accounts.mytelevision.tv | mytelevision.tv | Gestion compte utilisateur | Public/Securise |
Backend / API
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
api.mytelevision.app | mytelevision.app | API REST v2 principale | Public |
api-v2.mytelevision.app | mytelevision.app | API v2 versionnee explicitement | Public |
graphql.mytelevision.app | mytelevision.app | API GraphQL (futur) | Public |
webhooks.mytelevision.app | mytelevision.app | Reception webhooks partenaires | Public/Securise |
ws.mytelevision.app | mytelevision.app | WebSocket temps reel | Public |
Streaming & media
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
live.mytelevision.stream | mytelevision.stream | Flux live HLS/DASH | Public |
vod.mytelevision.stream | mytelevision.stream | Video a la demande | Public |
cdn.mytelevision.stream | mytelevision.stream | CDN assets media | Public |
origin.mytelevision.stream | mytelevision.stream | Serveur origine streaming | Interne |
ingest.mytelevision.stream | mytelevision.stream | Ingestion flux live | Securise |
drm.mytelevision.stream | mytelevision.stream | Serveur de licences DRM | Securise |
Infrastructure / DevOps
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
admin.mytelevision.app | mytelevision.app | Panel d'administration | Interne/VPN |
monitoring.mytelevision.app | mytelevision.app | Grafana, dashboards | Interne/VPN |
metrics.mytelevision.app | mytelevision.app | Prometheus metrics | Interne |
logs.mytelevision.app | mytelevision.app | Loki/Elasticsearch | Interne |
alerts.mytelevision.app | mytelevision.app | Alertmanager | Interne |
ci.mytelevision.app | mytelevision.app | CI/CD dashboards | Interne/VPN |
registry.mytelevision.app | mytelevision.app | Container registry prive | Interne |
Securite
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
auth.mytelevision.app | mytelevision.app | Service d'authentification | Public/Securise |
sso.mytelevision.app | mytelevision.app | Single Sign-On entreprise | Securise |
vault.mytelevision.app | mytelevision.app | Gestion secrets (HashiCorp Vault) | Interne |
security.mytelevision.app | mytelevision.app | Security headers, WAF config | Interne |
Documentation
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
docs.mytelevision.app | mytelevision.app | Documentation technique publique | Public |
developer.mytelevision.app | mytelevision.app | Portail developpeur | Public |
status.mytelevision.tv | mytelevision.tv | Page de statut services | Public |
help.mytelevision.tv | mytelevision.tv | Centre d'aide utilisateur | Public |
Environnements (non-production)
| Sous-domaine | Domaine racine | Usage | Exposition |
|---|---|---|---|
staging.mytelevision.app | mytelevision.app | Environnement pre-production | Interne/VPN |
staging-api.mytelevision.app | mytelevision.app | API staging | Interne/VPN |
staging.mytelevision.stream | mytelevision.stream | Streaming staging | Interne/VPN |
sandbox.mytelevision.app | mytelevision.app | Environnement sandbox partenaires | Securise |
preview.mytelevision.tv | mytelevision.tv | Previews PR/branches | Interne |
Gouvernance des adresses email
Domaine email exclusif : @mytelevision.tv
Administration & Direction
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Direction generale | Critique | MFA obligatoire, acces restreint, audit logs |
[email protected] | Direction technique | Critique | MFA obligatoire, acces restreint |
[email protected] | Direction financiere | Critique | MFA obligatoire, acces restreint |
[email protected] | Administration generale | Sensible | MFA obligatoire |
[email protected] | Ressources humaines | Sensible | MFA obligatoire, donnees personnelles |
[email protected] | Gestion bureau, logistique | Normale | MFA recommande |
Securite & Conformite
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Signalement vulnerabilites, incidents | Critique | MFA obligatoire, monitoring 24/7 |
[email protected] | Signalement abus (RFC 2142) | Critique | MFA obligatoire |
[email protected] | Data Protection Officer (RGPD) | Critique | MFA obligatoire, audit logs |
[email protected] | Demandes RGPD utilisateurs | Sensible | MFA obligatoire |
[email protected] | Conformite reglementaire | Sensible | MFA obligatoire |
[email protected] | Service juridique | Sensible | MFA obligatoire |
Technique & Documentation
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Equipe technique generale | Normale | MFA recommande |
[email protected] | Equipe DevOps/SRE | Sensible | MFA obligatoire |
[email protected] | Support API developpeurs | Normale | MFA recommande |
[email protected] | Communication developpeurs externes | Normale | Alias vers api@ |
[email protected] | Administration email (RFC 2142) | Sensible | MFA obligatoire |
[email protected] | Administration web (RFC 2142) | Normale | MFA recommande |
[email protected] | Emails transactionnels sortants | Normale | Envoi uniquement |
[email protected] | Notifications systeme | Normale | Envoi uniquement |
Support client
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Support utilisateur niveau 1 | Normale | MFA recommande |
[email protected] | Alias vers support | Normale | Alias |
[email protected] | Contact general public | Normale | MFA recommande |
[email protected] | Retours utilisateurs | Normale | MFA recommande |
[email protected] | Questions facturation | Sensible | MFA obligatoire |
[email protected] | Gestion abonnements | Sensible | MFA obligatoire |
Communication & Presse
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Relations presse | Normale | MFA recommande |
[email protected] | Demandes medias | Normale | Alias vers press@ |
[email protected] | Equipe marketing | Normale | MFA recommande |
[email protected] | Gestion newsletters | Normale | Envoi principalement |
[email protected] | Reseaux sociaux | Normale | MFA recommande |
[email protected] | Community management | Normale | MFA recommande |
B2B / Partenariats
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Partenariats strategiques | Sensible | MFA obligatoire |
[email protected] | Opportunites B2B | Normale | MFA recommande |
[email protected] | Equipe commerciale | Normale | MFA recommande |
[email protected] | Offres entreprise | Normale | MFA recommande |
[email protected] | Licences contenu | Sensible | MFA obligatoire |
[email protected] | Acquisition contenu | Sensible | MFA obligatoire |
[email protected] | Regie publicitaire | Normale | MFA recommande |
[email protected] | Alias vers advertising | Normale | Alias |
[email protected] | Sponsoring, evenements | Normale | MFA recommande |
Adresses systeme (automatiques)
| Adresse | Usage | Criticite | Securite |
|---|---|---|---|
[email protected] | Alertes monitoring | Sensible | Distribution interne uniquement |
[email protected] | Rapports taches planifiees | Normale | Interne uniquement |
[email protected] | Notifications backup | Sensible | Interne uniquement |
[email protected] | Notifications deploiement | Normale | Interne uniquement |
Recommandations
DNS & Infrastructure
| Recommandation | Priorite | Justification |
|---|---|---|
| Utiliser Cloudflare pour les 3 domaines | Haute | Protection DDoS, CDN, SSL automatique, DNS rapide |
| Activer DNSSEC sur tous les domaines | Haute | Protection contre DNS spoofing |
| Configurer CAA records | Haute | Restreindre les CA autorisees |
| TTL bas (300s) pour sous-domaines critiques | Moyenne | Flexibilite en cas d'incident |
| TTL eleve (3600s) pour domaines stables | Moyenne | Performance DNS |
Securite email
| Recommandation | Priorite | Justification |
|---|---|---|
| Configurer SPF strict | Critique | Prevention usurpation |
| Activer DKIM signing | Critique | Authentification emails |
Politique DMARC p=reject | Critique | Rejet emails non conformes |
| MTA-STS pour transport securise | Haute | Forcer TLS |
| BIMI avec VMC | Moyenne | Logo verifie dans clients email |
Enregistrements DNS email recommandes :
; SPF
mytelevision.tv. TXT "v=spf1 include:_spf.google.com include:sendgrid.net -all"
; DKIM
google._domainkey.mytelevision.tv. TXT "v=DKIM1; k=rsa; p=..."
; DMARC
_dmarc.mytelevision.tv. TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
; MTA-STS
_mta-sts.mytelevision.tv. TXT "v=STSv1; id=20251218"
Architecture reseau
| Recommandation | Priorite | Justification |
|---|---|---|
| Sous-domaines internes uniquement via VPN | Haute | Reduction surface d'attaque |
| WAF sur tous les points d'entree publics | Haute | Protection applicative |
| Rate limiting differencie par sous-domaine | Haute | Protection DDoS applicatif |
| mTLS pour communication inter-services | Haute | Zero-trust architecture |
Certificats wildcard pour *.mytelevision.app | Moyenne | Simplification gestion SSL |
Gouvernance
| Recommandation | Priorite | Justification |
|---|---|---|
| Audit trimestriel des acces email | Haute | Hygiene securite |
| Revue annuelle des sous-domaines | Moyenne | Nettoyage dette technique |
| Procedure offboarding incluant revocation acces | Haute | Securite RH |
| Documentation des alias dans un registre central | Moyenne | Tracabilite |
Matrice de responsabilite (RACI)
| Element | CTO | DevOps | Security | Admin IT |
|---|---|---|---|---|
| Decision sous-domaines | A | R | C | I |
| Configuration DNS | A | R | C | I |
| Creation emails | A | I | C | R |
| Politique securite | A | C | R | I |
| Monitoring | A | R | C | I |
A = Accountable, R = Responsible, C = Consulted, I = Informed
Contacts d'urgence
| Situation | Contact principal | Contact backup |
|---|---|---|
| Incident securite | [email protected] | [email protected] |
| Panne infrastructure | [email protected] | [email protected] |
| Probleme DNS/Email | [email protected] | [email protected] |
| Demande RGPD urgente | [email protected] | [email protected] |