⚠️ Superseded by COMPLIANCE_MAPPING.md and the Trust Center for all customer-facing claims. Internal/historical reference only.

This Manufacturing Allocation Intelligence SaaS platform implements SOC2-lite security controls to ensure data protection, integrity, and compliance with industry standards. Our security architecture follows defense-in-depth principles with multiple layers of protection.

What it does: Controls who can access and modify different parts of the system.

Features:

• 27 granular permissions across all functional areas
• 5 predefined roles: Admin, Executive, Procurement Manager, Production Planner, Analyst
• Custom role creation with flexible permission assignment
• Company-scoped access control (multi-tenant isolation)

How to use:

• Navigate to Settings → Users & Roles
• Assign roles to users
• Create custom roles with specific permissions
• View role assignments in the user management interface

Technical details:

• Implemented in server/lib/rbac.ts
• Middleware enforcement on all protected routes
• Permission checks at both route and UI level

What it does: Tracks all user actions for compliance and security monitoring.

What's logged:

• All create, update, delete operations
• User authentication events
• Data export and import operations
• Role assignments and permission changes
• System configuration changes

Log details include:

• User ID and company ID
• Timestamp
• Action type (create/update/delete/etc.)
• Entity type and ID
• Changes made (before/after snapshots)
• IP address and user agent

How to access:

• Available via API: GET /api/audit-logs
• Filtered by company, user, date range, entity type
• Exportable for compliance reporting

Technical details:

• Implemented in server/lib/auditLogger.ts
• Automatic logging middleware
• Database persistence for long-term retention

What it does: Protects sensitive data at rest using industry-standard encryption.

Encryption details:

• Algorithm: AES-256-GCM (authenticated encryption; tamper-evident)
• Key management: PBKDF2-derived key from a master secret held only in runtime env; fail-closed if absent
• Scope: tenant integration credentials, tokens, secrets, sensitive configuration
• Note: a legacy AES-256-CBC path remains for decrypt-only backward compatibility of pre-hardening ciphertext; all new writes use GCM

Usage:

import { encryptionService } from './lib/securityHardening';

// Encrypt sensitive data
const encrypted = encryptionService.encrypt(apiKey);

// Decrypt when needed
const decrypted = encryptionService.decrypt(encrypted);

// Hash for verification
const hashed = encryptionService.hash(password);

Best practices:

• Never log encrypted keys
• Rotate encryption keys periodically
• Store encryption keys in secure environment variables

What it does: Prevents abuse by limiting request frequency.

Default limits:

• Global API: 100 requests/minute per IP
• Authentication: 5 requests/minute (prevents brute force)
• Read-only endpoints: 300 requests/minute
• Sensitive operations: 3 requests/minute

Response headers:

• X-RateLimit-Limit: Maximum requests allowed
• X-RateLimit-Remaining: Requests remaining in window
• X-RateLimit-Reset: When the limit resets

429 Too Many Requests response:

{
  "error": "Too many requests",
  "message": "Rate limit exceeded. Please try again later.",
  "retryAfter": 60
}

Technical details:

• In-memory rate limiting with automatic cleanup
• Configurable per-endpoint limits
• Distributed rate limiting support for scaling

What it does: Prevents XSS, injection attacks, and malformed input.

Protection against:

• Cross-Site Scripting (XSS)
• SQL Injection attempts
• HTML/JavaScript injection
• Path traversal attacks
• Malformed emails and URLs

Sanitization process:

1. Remove dangerous characters (<, >, javascript:, etc.)
2. Strip event handlers (onclick, onerror, etc.)
3. Validate data types and formats
4. Apply Zod schema validation
5. Log suspicious patterns

SQL Injection Detection:

• Pattern-based detection for SQL keywords
• Automatic blocking of suspicious queries
• Security event logging for monitoring

What it does: Configures browser security policies to prevent attacks.

Headers applied (verified on the live deployment):

• Content-Security-Policy: restricts resource loading and sets frame-ancestors — this is our clickjacking control. (X-Frame-Options is intentionally omitted in favor of CSP frame-ancestors.)
• Strict-Transport-Security: max-age + includeSubDomains - forces HTTPS
• X-Content-Type-Options: nosniff - prevents MIME sniffing
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: geolocation=(), microphone=(), camera=()
• X-XSS-Protection: 0 - the legacy browser XSS auditor is deliberately disabled (modern guidance; CSP is the real XSS defense)

CSP Policy (live):

default-src 'self';
script-src 'self' https://cdnjs.cloudflare.com https://js.stripe.com;
style-src 'self' https://fonts.googleapis.com;
img-src 'self' data: https:;
font-src 'self' data: https://fonts.gstatic.com;
connect-src 'self' wss: https: https://api.stripe.com;
frame-src 'self' https://js.stripe.com https://hooks.stripe.com;
frame-ancestors 'self' https://*.replit.com https://*.replit.dev https://*.replit.app;

What it does: Secures user sessions and prevents session hijacking.

Features:

• HttpOnly cookies: Prevents JavaScript access to session cookies
• Secure flag: Enforces HTTPS transmission
• SameSite: strict - CSRF protection
• Session expiration: rolling session lifetime; refresh tokens revoked on logout and on password change
• Idle / absolute inactivity timeout: on the roadmap — not yet enforced

Configuration:

{
  secret: process.env.SESSION_SECRET,
  httpOnly: true,
  secure: true, // HTTPS only
  sameSite: 'strict',
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
}

What it does: Tracks security events and anomalies in real-time.

Monitored events:

• Rate limit violations
• SQL injection attempts
• XSS attack attempts
• Authentication failures
• Suspicious activity patterns

Event severity levels:

• Low: Minor violations, single occurrences
• Medium: Repeated violations, potential probing
• High: Clear attack patterns, multiple failures
• Critical: Active attacks, system compromise attempts

Access monitoring:

• API: GET /api/security/events?minutes=60
• Summary: GET /api/security/summary

Response format:

{
  "totalEvents": 150,
  "last24Hours": 42,
  "byType": {
    "rateLimits": 30,
    "sqlInjections": 5,
    "xssAttempts": 2,
    "authFailures": 3,
    "suspicious": 2
  },
  "bySeverity": {
    "low": 35,
    "medium": 5,
    "high": 2,
    "critical": 0
  }
}

• Every data record is scoped to a companyId
• Database queries automatically filter by company
• Cross-company access is prevented at the database level
• User permissions are company-specific

Data portability:

• Export all company data in JSON, CSV, or Excel formats
• Includes SKUs, materials, suppliers, forecasts, allocations
• Self-service export via Settings → Data Management

Data deletion:

• Cascade deletion of company data
• Audit logs preserved for compliance
• User can request full data deletion

• Right to access: Users can export all their data
• Right to deletion: Company admins can delete all company data
• Right to rectification: Users can update their information
• Consent management: Clear consent for data processing
• Data minimization: Only collect necessary data

• ✅ Role-Based Access Control (RBAC)
• ✅ Least privilege access enforcement
• ✅ User authentication and authorization
• ⬜ Multi-factor authentication (TOTP) — on the roadmap, not yet implemented

• ✅ Encryption at rest (AES-256-GCM for app-managed secrets; provider-managed AES-256 for Postgres & object storage)
• ✅ Encryption in transit (HTTPS/TLS)
• ✅ Session security and timeout
• ✅ Password security (via OAuth provider)

• ✅ Comprehensive audit logging
• ✅ Version control (Git)
• ✅ Change tracking and attribution
• ✅ Rollback capabilities

• ✅ Input validation and sanitization
• ✅ SQL injection prevention
• ✅ XSS prevention
• ✅ CSRF protection
• ✅ Rate limiting
• ✅ Security monitoring and alerts

• ✅ Automated testing
• ✅ Error logging and monitoring
• ✅ Performance monitoring
• ✅ Disaster recovery (database backups)

• ✅ Real-time security event tracking
• ✅ Audit log retention
• ✅ Performance metrics
• ✅ Error tracking

1. Never commit secrets to version control

   • Use environment variables for all sensitive data
   • Never hard-code API keys, passwords, or tokens

2. Always validate input

   • Use Zod schemas for request validation
   • Sanitize user input before processing
   • Never trust client-side data

3. Follow principle of least privilege

   • Grant minimum necessary permissions
   • Check permissions at both route and function level
   • Never bypass RBAC checks

4. Log security-relevant events

   • Use audit logger for all mutations
   • Log authentication failures
   • Record permission denials

5. Keep dependencies updated

   • Regularly update npm packages
   • Monitor security advisories
   • Address vulnerabilities promptly

1. Regular security audits

   • Review audit logs weekly
   • Monitor security events daily
   • Investigate anomalies promptly

2. Access management

   • Review user roles quarterly
   • Remove inactive users
   • Audit permission assignments

3. Incident response

   • Have a security incident response plan
   • Know how to access audit logs
   • Document security incidents

4. Backup and recovery

   • Regular database backups
   • Test restore procedures
   • Maintain disaster recovery plan

1. Strong authentication

   • Use strong, unique passwords
   • Enable MFA if available
   • Never share credentials

2. Data handling

   • Only export data when necessary
   • Protect exported data files
   • Delete exports after use

3. Report suspicious activity

   • Report unusual system behavior
   • Report unauthorized access attempts
   • Contact security team for concerns

All routes require authentication unless marked [PUBLIC]:

POST   /api/auth/*               [Rate limited: 5/min]
GET    /api/*                    [Authenticated; tenant-scoped (companyId)]
POST   /api/*                    [Authenticated; tenant-scoped; Audit; RBAC where enforced (coverage expanding)]
PATCH  /api/*                    [Authenticated; tenant-scoped; Audit; RBAC where enforced (coverage expanding)]
DELETE /api/*                    [Authenticated; tenant-scoped; Audit; RBAC where enforced (coverage expanding)]

Content-Security-Policy: default-src 'self'; ... frame-ancestors 'self' https://*.replit.com ...
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
X-XSS-Protection: 0

1. Immediate actions:

   • Document the event (screenshot, logs)
   • Note the time, user, and affected resources
   • Do not delete evidence

2. Escalation:

   • Contact system administrator
   • Provide audit log exports
   • Share security event summaries

3. Investigation:

   • Review audit logs for the time period
   • Check security monitoring events
   • Identify affected data and users

4. Remediation:

   • Revoke compromised access
   • Reset credentials if needed
   • Apply additional security measures

5. Post-incident:

   • Document findings
   • Update security procedures
   • Communicate to affected users if needed

For security issues or questions:

• Security incidents: Check security monitoring dashboard
• Audit log access: API endpoint /api/audit-logs
• Security events: API endpoint /api/security/summary

• v1.0 (Nov 2024) - Initial SOC2-lite security implementation
  • RBAC with 27 permissions
  • Comprehensive audit logging
  • AES-256 encryption
  • Rate limiting
  • Input sanitization
  • Security headers
  • Security monitoring

Last Updated: November 24, 2024 Review Frequency: Quarterly Next Review: February 24, 2025