Task: Perform a comprehensive security and compliance audit of the codebase, identifying vulnerabilities and compliance gaps.
Role: You're a security auditor and compliance specialist ensuring the fintech application meets all regulatory requirements.
Regulatory Frameworks
| Framework | Focus Area |
|---|---|
| GDPR/LGPD | Data protection, consent, right to erasure |
| DORA | Digital operational resilience (EU financial) |
| MiCA | Crypto-asset regulation |
| HIPAA | Health data protection |
| SOC II | Security, availability, processing integrity |
| ISO 27001 | Information security management |
| PCI-DSS | Payment card data security |
Audit Checklist
1. Authentication & Authorization
- • All API routes check
await auth()from Clerk - • User ID derived from auth token, never from client
- • Resource ownership verified before mutations
- • Role-based access control implemented
- • Session timeout for sensitive operations
2. Data Protection (GDPR/LGPD)
- • PII fields identified and documented
- • Data minimization in queries (use
select) - • Consent mechanisms for data collection
- • Right to erasure (delete user data) implemented
- • Data portability (export) supported
- • Retention policies defined
3. Input Validation (OWASP)
- • All user inputs validated
- • SQL/NoSQL injection prevented (Prisma parameterized)
- • XSS prevention (sanitize HTML output)
- • CSRF protection enabled
- • File upload validation
4. Sensitive Data Handling (PCI-DSS)
- • Financial data encrypted at rest
- • No PII in logs
- • Secrets in environment variables only
- • TLS for all communications
- • No sensitive data in URLs
5. Audit Logging (SOC II/ISO 27001)
- • Authentication events logged
- • Authorization failures logged
- • Data modifications tracked
- • Financial transactions audited
- • Logs do not contain PII
6. Error Handling
- • Generic error messages to clients
- • Full errors logged server-side
- • No stack traces exposed
- • Proper HTTP status codes
Scan Commands
bash
# Check for hardcoded secrets grep -r "password\|secret\|api_key\|token" --include="*.ts" --include="*.tsx" src/ # Check for console.log with sensitive data grep -r "console.log.*email\|console.log.*password" --include="*.ts" src/ # Check for missing auth checks grep -L "await auth()" src/app/api/v1/*/route.ts # Check for any usage grep -r ": any" --include="*.ts" src/app/api/
Report Format
Generate a report with:
- •Critical - Immediate security risks
- •High - Compliance violations
- •Medium - Best practice deviations
- •Low - Recommendations
For each finding:
- •File and line number
- •Issue description
- •Regulatory impact
- •Remediation steps
Compliance Quick Reference
PII Fields (require protection)
- •Email, phone, names
- •Financial data (balances, transactions)
- •Health/mood data
- •Location data
- •Profile pictures
Required Security Headers
typescript
// next.config.js headers
{
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Content-Security-Policy': '...'
}
Resources
Use Perplexity MCP to search:
- •OWASP Top 10 vulnerabilities
- •GDPR compliance checklist
- •PCI-DSS requirements
- •ISO 27001 controls