Security Documentation

Version 1.0 — October 2025

This document outlines the security measures, best practices, and compliance standards implemented in Conformo.

Table of Contents

  1. Security Overview
  2. Authentication & Authorization
  3. Data Protection
  4. Security Headers
  5. Input Validation & Sanitization
  6. Session Management
  7. Rate Limiting
  8. Audit Logging
  9. OWASP Top 10 Mitigations
  10. Dependency Security
  11. TLS/HTTPS Configuration
  12. Security Testing
  13. Incident Response
  14. Security Contacts

Security Overview

Conformo implements defense-in-depth security principles with multiple layers of protection:

  • Authentication: JWT-based authentication with refresh tokens
  • Authorization: Role-Based Access Control (RBAC)
  • Encryption: TLS 1.2+ for data in transit, bcrypt for passwords
  • Validation: Input validation and sanitization on all user inputs
  • Headers: Security headers (CSP, HSTS, X-Frame-Options, etc.)
  • Monitoring: Comprehensive audit logging of security events
  • Dependencies: Regular scanning and updates of dependencies

Authentication & Authorization

Authentication Methods

  1. Email/Password Authentication
    • Minimum 8 characters password requirement
    • Bcrypt hashing (cost factor: 10)
    • Email verification required before login
    • Account lockout after 5 failed attempts (30 minutes)
  2. Two-Factor Authentication (2FA)
    • Optional TOTP-based 2FA
    • QR code setup for authenticator apps
    • Backup codes for account recovery
  3. JWT Token Management
    • Access tokens: 15 minutes expiry
    • Refresh tokens: 7 days expiry (with remember me)
    • Secure token storage and transmission
    • Token revocation on logout

Authorization

Role-Based Access Control (RBAC):

  • User: Standard user with access to own data
  • Admin: Full system access including user management and audit logs

Admin Access:

  • Admin role required for sensitive operations
  • Fallback admin list for emergency access
  • All admin actions logged

Data Protection

Encryption

  1. Data in Transit
    • TLS 1.2+ enforced in production
    • HSTS headers with 1-year max-age
    • Secure cookie flags (HttpOnly, Secure, SameSite)
  2. Data at Rest
    • Passwords hashed with bcrypt (cost factor: 10)
    • Sensitive fields encrypted in database
    • Database connection over TLS
  3. Key Management
    • JWT secrets stored in environment variables
    • Secrets rotation policy recommended every 90 days
    • Never commit secrets to version control

Data Privacy

  • GDPR-compliant data processing
  • User consent tracking
  • Data minimization principle
  • Right to erasure implementation
  • Data portability support

Security Headers

Implemented using Helmet middleware:

helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      connectSrc: ["'self'"],
      fontSrc: ["'self'", "data:"],
      objectSrc: ["'none'"],
      mediaSrc: ["'self'"],
      frameSrc: ["'none'"],
    },
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true,
  },
  noSniff: true,
  xssFilter: true,
  hidePoweredBy: true,
  frameguard: { action: 'deny' },
})

Headers Explained:

  • Content-Security-Policy: Prevents XSS attacks by controlling resource loading
  • Strict-Transport-Security: Forces HTTPS connections
  • X-Content-Type-Options: Prevents MIME sniffing
  • X-Frame-Options: Prevents clickjacking attacks
  • X-XSS-Protection: Legacy XSS protection (browser-level)

Input Validation & Sanitization

Validation (Joi Schema)

All API inputs validated using Joi schemas:

  • Email format validation
  • Password complexity requirements
  • String length limits
  • Type checking
  • Required field enforcement

Sanitization

  • HTML sanitization using DOMPurify
  • SQL injection prevention via parameterized queries
  • NoSQL injection prevention
  • Path traversal prevention
  • Command injection prevention

Session Management

Token Lifecycle

  1. Login: Generate access + refresh token pair
  2. Request: Access token in Authorization header
  3. Expiry: 15-minute access token expiry
  4. Refresh: Use refresh token to get new access token
  5. Logout: Revoke both tokens

Security Features

  • Token binding to user agent and IP (logged)
  • Refresh token rotation on use
  • Secure token storage (httpOnly cookies or localStorage)
  • Token revocation on security events

Rate Limiting

Implemented using express-rate-limit:

Endpoint Limit Window
Registration 5 requests 15 minutes
Login 10 requests 15 minutes
Password Reset 3 requests 15 minutes
Email Verification 5 requests 15 minutes
Admin Preferences 100 requests 15 minutes

Benefits:

  • Prevents brute force attacks
  • Mitigates DoS attacks
  • Protects against credential stuffing
  • Reduces spam and abuse

Audit Logging

Logged Events

All security-relevant events are logged:

  • Login attempts (success/failure)
  • Registration
  • Password changes
  • Email verification
  • 2FA setup/disable
  • Account lockouts
  • Admin actions
  • Token refresh
  • Logout

Log Storage

  • PostgreSQL database table: auth_logs
  • Retention: Configurable (default 90 days)
  • Fields: event type, user ID, IP, user agent, timestamp, metadata
  • Export capability for compliance

Log Access

  • Admin-only access
  • Query by user, event type, date range
  • Statistics and analytics
  • CSV export for audits

OWASP Top 10 Mitigations

A01: Broken Access Control

Mitigated: RBAC, authentication middleware, admin checks

A02: Cryptographic Failures

Mitigated: TLS 1.2+, bcrypt hashing, HSTS headers

A03: Injection

Mitigated: Parameterized queries, input validation, sanitization

A04: Insecure Design

Mitigated: Security-by-design, threat modeling, secure defaults

A05: Security Misconfiguration

Mitigated: Security headers, environment-based config, no default credentials

A06: Vulnerable and Outdated Components

Mitigated: npm audit, dependency updates, automated scanning

A07: Identification and Authentication Failures

Mitigated: Strong passwords, 2FA, account lockout, secure sessions

A08: Software and Data Integrity Failures

Mitigated: JWT verification, checksum validation, signed tokens

A09: Security Logging and Monitoring Failures

Mitigated: Comprehensive audit logging, monitoring alerts

A10: Server-Side Request Forgery (SSRF)

Mitigated: URL validation, allowlists, no user-controlled URLs

Dependency Security

Automated Scanning

  • npm audit run on every build
  • GitHub Dependabot alerts enabled
  • Regular dependency updates

Current Vulnerabilities

Last audit: October 2025

  • Severity: Low to Moderate
  • Status: Under review, non-exploitable in current usage

Update Policy

  • Critical/High: Immediate patching
  • Moderate: Within 7 days
  • Low: Next scheduled update cycle
  • Review breaking changes before updates

TLS/HTTPS Configuration

Production Requirements

  • TLS 1.2 minimum (TLS 1.3 preferred)
  • Strong cipher suites only
  • Certificate from trusted CA
  • HSTS header with preload
  • No mixed content

Certificate Management

  • Automated renewal (Let’s Encrypt recommended)
  • 90-day rotation recommended
  • Monitor expiry dates
  • Certificate transparency logging

Vercel Deployment

  • Automatic HTTPS via Vercel
  • TLS 1.3 supported
  • HTTP/2 enabled
  • Automatic certificate renewal

Security Testing

Automated Testing

  • Dependency Scanning: npm audit
  • Static Analysis: ESLint security rules
  • Unit Tests: Authentication and authorization logic
  • Integration Tests: API security tests

Manual Testing

  • Penetration Testing: Annual recommended
  • Code Review: Security-focused reviews
  • Threat Modeling: Regular threat assessments
  • Vulnerability Scanning: Periodic scans

Testing Checklist

  • Authentication bypass attempts
  • Authorization checks
  • Input validation
  • Session management
  • CSRF protection
  • XSS prevention
  • SQL injection
  • Rate limiting
  • Security headers
  • TLS configuration

Incident Response

Security Incident Process

  1. Detection: Monitoring alerts, user reports
  2. Assessment: Severity and impact analysis
  3. Containment: Isolate affected systems
  4. Eradication: Remove threat, patch vulnerabilities
  5. Recovery: Restore services, verify integrity
  6. Lessons Learned: Post-mortem, improve defenses

Breach Notification

  • GDPR requires notification within 72 hours
  • User notification if personal data compromised
  • Authority notification as required by law
  • Transparent communication

Contact Information

  • Security Issues: security@conformo.it
  • Emergency: Contact via GitHub Issues (private security advisory)

Security Contacts

Reporting Security Vulnerabilities

We take security seriously. If you discover a security vulnerability, please report it responsibly:

  1. Do NOT open a public GitHub issue
  2. Contact us at: security@conformo.it
  3. Or use GitHub’s private security advisory feature
  4. Provide detailed information about the vulnerability
  5. Allow reasonable time for patching before disclosure

Responsible Disclosure

We appreciate security researchers and offer:

  • Acknowledgment in security advisories (if desired)
  • Coordinated disclosure timeline
  • Recognition in our security hall of fame

Security Roadmap

Planned Improvements

  • Implement CSRF protection for state-changing operations
  • Add Content Security Policy reporting
  • Implement Web Application Firewall (WAF)
  • Add intrusion detection system (IDS)
  • Implement security.txt file
  • Add automated security testing in CI/CD
  • Implement rate limiting at reverse proxy level
  • Add geographical IP blocking options
  • Implement anomaly detection for auth events
  • Add security metrics dashboard

Compliance Standards

Conformo adheres to:

  • GDPR: EU General Data Protection Regulation
  • eIDAS: EU Electronic Identification and Trust Services
  • Italian Privacy Code: Legislative Decree 196/2003
  • ISO 27001: Information Security Management (goal)
  • OWASP: Top 10 and security best practices

Last Updated: October 2025
Version: 1.0
Next Review: January 2026
Maintained by: Conformo Security Team