Security Audit
Audit Scope
Authentication
- • bcrypt cost 12 with constant-time comparison
- • Password policy enforced (min length, complexity, common-password check)
- • Brute force: lockout after 5 failures, doubling backoff
- • Session cookies:
__Host-prefix, HttpOnly, Secure, SameSite=Lax - • Session expiry: 8h absolute, 30min idle
- • OAuth: state parameter validated, PKCE used
- • API keys: SHA-256 hashed,
areg_prefix, plaintext shown once only - •
must_change_passenforced on first-boot admin
Authorization
- • Role checks on every mutation (viewer/editor/admin)
- • API key scope validation (read/write/admin)
- • No privilege escalation paths
Data Protection
- •
password_hashusesjson:"-" - • MCP
auth_credentialencrypted AES-256-GCM at rest - • No secrets in logs or API responses
Input Validation
- • Parameterized SQL queries (
$1placeholders via pgx) - • JSON body size limits
- • UUID parameters validated before use
- • MCP endpoint SSRF protection (block internal IPs)
Headers & Transport
- • X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security
- • CORS restrictive (not
*) - • CSRF token on all non-GET session endpoints
Workflow
- •Read implementation of module under audit
- •Cross-reference with spec Sections 3 and 8
- •Document findings:
| Severity | Location | Issue | Fix | - •Write failing test exposing each vulnerability
- •Fix, verify test passes, run full suite with
-race
Severity Levels
- •CRITICAL: Auth bypass, data exposure, RCE
- •HIGH: Privilege escalation, missing encryption
- •MEDIUM: Missing rate limit, weak validation
- •LOW: Missing headers, informational