• JWT-based Sessions: 24-hour expiry with HttpOnly cookies
• Role-Based Access Control (RBAC):
  • admin: Full access (user management, audit logs, settings)
  • user: Can create/delete own accounts, view team accounts
  • viewer: Read-only access to team accounts
• Password Storage: Bcrypt hashing with salt rounds
• Session Security: HttpOnly, Secure (in production), SameSite cookies

• TOTP Secret Encryption: AES-256-GCM encryption at rest
• Encrypted Database Fields: TOTP secrets are never stored in plaintext
• Environment Variables: Sensitive configuration via .env files
• API Key Authentication: SHA-256 hashed API keys for programmatic access

• Comprehensive Activity Tracking: All user actions are logged
• IP Address & User Agent: Tracking for forensic analysis
• TOTP View Tracking: Logged when users view TOTP codes
• Retention Policy: Configurable retention (default: 30 days)
• Admin-Only Access: Only administrators can view audit logs

• SQL Injection Protection: Prepared statements with parameterized queries
• XSS Prevention: React automatic escaping + Content Security Policy
• Input Validation:
  • Date range validation (must be valid Unix timestamps)
  • Limit validation (max 1000 records per request)
  • Offset validation (min 0)
  • Resource filtering with LIKE pattern matching (safe with prepared statements)

• Authentication Required: All API endpoints require valid session or API key
• Authorization Checks: Role-based permissions enforced at endpoint level
• Rate Limiting: Consider implementing rate limiting for production (e.g., nginx)
• CORS Configuration: Restricted to same-origin by default

Issue: No rate limiting on API endpoints Risk: Brute force attacks, DoS Mitigation: Implement rate limiting via:

• Nginx limit_req module
• Application-level middleware (e.g., express-rate-limit)
• Cloudflare or similar CDN/WAF

Issue: No enforced password complexity requirements Risk: Weak passwords Mitigation:

• Minimum 8 characters enforced
• Consider adding complexity requirements (uppercase, numbers, symbols)
• Password strength indicator in UI

Issue: Sessions not invalidated on password change Risk: Session hijacking Mitigation: Regenerate session tokens on password change

Issue: Basic CSRF protection via SameSite cookies Risk: Cross-site request forgery Current Mitigation: SameSite=Lax cookies + credentials: "include" Enhancement: Add CSRF tokens for state-changing operations

Issue: User-controlled data in audit logs (details field) Risk: Log injection, log forging Mitigation:

• Input sanitization on details field
• Log viewer escapes output (React handles this)
• Consider structured logging (JSON)

# Generate strong secrets
openssl rand -hex 32  # For JWT_SECRET
openssl rand -hex 32  # For ENCRYPTION_KEY

# Use strong passwords
ADMIN_PASSWORD=<strong-password-here>
VIEWER_PASSWORD=<strong-password-here>

• Use TLS 1.2+ only
• Strong cipher suites (see TRT_DEPLOYMENT.md)
• HSTS headers enabled
• SSL certificate from trusted CA

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

• SQLite file permissions: chmod 600 /app/data/app.db
• Regular backups with encryption
• Audit log retention policy enforced
• Database file outside web root

• Non-root user (consider adding USER node)
• Read-only filesystem where possible
• Network isolation (internal network for DB)
• Resource limits (memory, CPU)
• Regular image updates

• Monitor failed login attempts
• Alert on suspicious audit log patterns
• Track API usage anomalies
• Log file monitoring (size, patterns)

If you discover a security vulnerability, please email: [security contact email]

Please do NOT create public GitHub issues for security vulnerabilities.

• Strong JWT_SECRET and ENCRYPTION_KEY generated
• Default admin password changed
• HTTPS/TLS enabled with valid certificate
• Security headers configured in nginx
• Rate limiting implemented
• Database file permissions set correctly
• Audit log retention policy configured
• Backup strategy implemented
• Monitoring and alerting configured
• Regular security updates scheduled
• Firewall rules configured (allow 80, 443, deny others)
• Docker image from trusted sources
• Environment variables not committed to git
• API keys rotated regularly
• Session timeout configured appropriately

• Audit logs contain IP addresses (personal data)
• Data retention policy: 30 days (configurable)
• User data deletion: Manual process required
• Data export: Available via API

• Access control: Role-based
• Audit trail: Comprehensive logging
• Encryption: At rest (TOTP secrets) and in transit (HTTPS)
• Incident response: Audit log review

Keep dependencies updated:

npm audit
npm audit fix
npm update

Regular security reviews recommended every 6 months.