Production Hardening & Compliance Matrix
Security is maintained through multiple layers of system isolation. Below is the production hardening matrix mapped directly to international compliance guidelines.
Content Security Policy (CSP)
Restricts source origins for scripts, styles, frames, and images, rejecting arbitrary browser injection scripts.
Mitigates Cross Site Scripting (XSS) and frame injection clickjacking attacks.
WebAuthn Cryptographic Bindings
Verifies the signature origin against the registered Relying Party Identifier (rpId) and compares stored hardware sign counters.
Blocks phishing attempts, credential sharing, and replay authentication actions.
AES-256-GCM At-Rest Encryption
Encrypts documents on disk storage. Prefixes files with a random 12 byte nonce and appends a 16 byte authentication tag.
Prevents raw document visibility in the event of directory breach or storage volume exposure.
Redis Sliding-Window Rate Limiter
Lua script sliding-window rate limiter on all auth endpoints: 5 requests/60s for standard login, 3 requests/60s for sensitive operations (admin login, password reset, magic link).
Blocks brute-force scans and Denial of Service (DoS) API execution floods.
SQL Parameterization Constraints
Binds queries using SQLx prepared variables, isolating string concatenation from database query compilers.
Eliminates SQL injection vulnerability vectors from backend database operations.
Audit Log Immutability Ledger
Logs every change (user logins, uploads, moves, classification updates) with remote IP addresses and session IDs.
Guarantees trace history for post-incident investigations, preventing audit edits.
Defensive Infrastructure Architecture
1. Network Filtering
All APIs run inside secure subnets. Public client entry is restricted to predefined subdomains, and invalid requests are rejected at the edge layer to secure server capacity.
2. Key Protection
Crypto keys are supplied at initialization via secure OS environment variables. Keys remain resident in memory and are never written to source logs or code repositories.
3. Input Sanitization
User files and text inputs undergo character checks before file system execution. Structured queries bypass string parsing, preventing secondary execution threats.