Skip to content

Security

This document outlines the security measures implemented in the BidScript backend application.

Authentication and Authorisation

JWT Authentication

The application uses JSON Web Tokens (JWT) for authentication:

  • Tokens are signed using a secure secret key
  • Token expiration is configurable (default: 8 hours)
  • Refresh token mechanism for extended sessions
  • Token revocation for logout and security incidents

User Authentication Flow

  1. User submits credentials (username/password)
  2. Server validates credentials against database
  3. Server generates and returns JWT token
  4. Client includes token in Authorization header for subsequent requests
  5. Server validates token on protected endpoints

Role-Based Access Control

Access to resources is controlled through role-based permissions:

  • Admin: Full system access
  • Editor: Can create and modify documents
  • Viewer: Read-only access to documents
  • Custom roles for specialised permissions

API Security

Request Validation

All API requests are validated:

  • Input validation using class-validator
  • Schema validation for request bodies
  • Parameter type checking and sanitisation
  • Protection against malformed requests

Rate Limiting

Rate limiting is implemented to prevent abuse:

  • Configurable rate limits based on endpoint and user role
  • IP-based rate limiting for unauthenticated requests
  • Exponential backoff for repeated violations

CORS Policy

Cross-Origin Resource Sharing (CORS) is configured:

  • Whitelist of allowed origins
  • Credential support for authenticated requests
  • Preflight request handling
  • Header restriction

Data Protection

Encryption

Sensitive data is protected using encryption:

  • HTTPS/TLS for all connections
  • Password hashing using bcrypt with appropriate salt rounds
  • Encryption of sensitive data at rest
  • Key management using Azure Key Vault

Data Isolation

  • Tenant isolation for multi-tenant deployments
  • Resource-level access controls
  • Database schema design for data separation

Secure Development Practices

Dependency Management

  • Regular dependency updates
  • Vulnerability scanning in CI/CD pipeline
  • Security patches applied promptly

Code Security

  • Static code analysis
  • Secure coding guidelines
  • Regular security reviews
  • No secrets in source code

Infrastructure Security

Docker Security

  • Minimal base images
  • Non-root user execution
  • Read-only file systems where possible
  • Resource limitations

Network Security

  • Internal services not exposed to public internet
  • Firewall rules and network policies
  • Virtual Private Networks (VPNs) for administrative access
  • Connection encryption

Monitoring and Incident Response

Logging and Monitoring

  • Centralised logging
  • Security event monitoring
  • Alerting for suspicious activities
  • Audit logging for sensitive operations

Incident Response

  • Defined security incident response plan
  • Vulnerability disclosure policy
  • Regular security testing

Compliance

The application is designed to help meet compliance requirements for:

  • GDPR (General Data Protection Regulation)
  • Data protection and privacy regulations
  • Industry-specific compliance needs

Security Configuration

Security settings can be configured through environment variables:

  • JWT_SECRET: Secret key for JWT signing
  • CORS_ORIGINS: Allowed CORS origins
  • RATE_LIMIT_WINDOW: Rate limiting window
  • RATE_LIMIT_MAX: Maximum requests per window
  • HELMET_ENABLED: Enable Helmet security middleware

For a complete list of security-related environment variables, see Environment Variables.