TalentFilter Security & Integrity Skill
This skill provides the authoritative security guidelines for the TalentFilter platform. It covers everything from preventing candidate cheating to protecting the platform against abuse and hacking.
1. Anti-Cheating Implementation (Candidate Side)
To ensure the integrity of the screening process, all candidate interfaces must implement these measures:
- •Visibility Monitoring:
- •Use the
visibilitychangeAPI to track if a candidate switches tabs or minimizes the browser. - •Action: Increment a
tab_switchescounter in theuseInterviewStore. If a pre-defined threshold is reached, notify the recruiter via a flag in the database.
- •Use the
- •Input Lockdown:
- •Ensure all answer
Textareacomponents are wrapped in theusePreventCopyPastehook. - •Action: Prevent
copy,paste, andcutevents to ensure candidates type their own responses.
- •Ensure all answer
- •Backend Time Validation:
- •Never trust the client-side timer for final submission logic.
- •Action: The backend must calculate the interview duration as
submission_time - start_timeand flag any discrepancies.
2. Request Limits & API Throttling (Cost & Abuse Prevention)
To prevent budget overruns from AI usage and protect the platform from bot abuse:
- •Endpoint Throttling:
- •Implement rate limiting (e.g., using
slowapior similar) on all AI-heavy endpoints:- •
POST /jobs/analyze - •
POST /interviews/submit
- •
- •Implement rate limiting (e.g., using
- •Session-Based Capping:
- •Limit the number of job analysis requests a single recruiter can make within a 24-hour period.
- •Limit the number of interview submission attempts per candidate token.
- •AI Token Management:
- •Centralize all AI calls through the
AIServiceand log token usage per recruiter/job to monitor costs and prevent spikes.
- •Centralize all AI calls through the
3. Application Security (Hacking Prevention)
Protect the platform against common web vulnerabilities:
- •Input Sanitization:
- •All user inputs must be validated using Pydantic (Backend) and Zod (Frontend) to prevent injection attacks (SQL, XSS).
- •Secure File Handling:
- •If any file uploads are implemented (e.g., CVs), strictly validate file types and sizes. Scan for malware before processing.
- •Framework Monitoring:
- •Actively monitor security advisories for Next.js (especially router-level vulnerabilities) and FastAPI.
- •Action: Always prioritize the latest stable versions (e.g., Next.js 15+ with the latest patches) and verify implementation against current official security documentation.
- •Environment Integrity:
- •Keep Next.js and FastAPI dependencies updated to the latest stable versions to mitigate known CVEs.
- •Use CORS to restrict backend access to the authorized frontend domain.
4. Secure Data Access & RLS
- •Strict Isolation:
- •Recruiters: Mandatory RLS policy:
auth.uid() = recruiter_id. They must never be able to see another recruiter's data. - •Candidates: Zero-Trust access. No candidate should have direct access to Supabase tables. All interactions must be proxied via the FastAPI backend using
service_rolekeys.
- •Recruiters: Mandatory RLS policy:
- •Response Scrubbing:
- •Public-facing endpoints (e.g.,
/session/{token}) must explicitly exclude sensitive data likeideal_answerorscoring_criteria.
- •Public-facing endpoints (e.g.,
5. Security Workflow
- •Verify: Before deploying any new feature, verify that RLS policies are in place.
- •Audit: Regularly audit AI usage logs to identify potential abuse.
- •Throttling: Ensure all new public-facing endpoints have appropriate rate limits.