4.1 KiB
4.1 KiB
Security Hardening Epic (Q4 2025)
Goal
Raise the baseline security posture across guest APIs, checkout, media storage, and identity flows so the platform can scale multi-tenant traffic with auditable, revocable access.
Workstreams
-
Identity & OAuth (Backend Platform)
- Dual-key rollout for JWT signing with rotation runbook and monitoring.
- Refresh-token revocation tooling (per device/IP) and anomaly alerts.
- Device fingerprint/subnet allowances documented and configurable.
- Tickets
SEC-IO-01— Generate dual-key rollout playbook + automation (Week 1). (Runbook:docs/deployment/oauth-key-rotation.md; commands:oauth:list-keys,oauth:prune-keys)SEC-IO-02— Build refresh-token management UI + audit logs (Week 2). (Filament console + audit trail added 2025-10-23)SEC-IO-03— Implement subnet/device matching configuration & tests (Week 3).
-
Guest Join Tokens (Guest Platform)
- Store hashed tokens with irreversible lookups; migrate legacy data.
- Add per-token usage analytics, alerting on spikes or expiry churn.
- Extend gallery/photo rate limits (token + IP) and surface breach telemetry in storage dashboards.
- Tickets
SEC-GT-01— Hash join tokens + data migration script (Week 1).SEC-GT-02— Implement token analytics + Grafana dashboard (Week 2). (Logging + Filament summaries delivered 2025-10-23; monitoring dashboard still pending)SEC-GT-03— Tighten gallery/photo rate limits + alerting (Week 3).
-
Public API Resilience (Core API)
- Serve signed asset URLs instead of raw storage paths; expire appropriately.
- Document incident response runbooks and playbooks for abuse mitigation.
- Add synthetic monitors for
/api/v1/gallery/*and upload endpoints. - Tickets
SEC-API-01— Signed URL middleware + asset migration (Week 1).SEC-API-02— Incident response playbook draft + review (Week 2). (Runbook:docs/deployment/public-api-incident-playbook.md, added 2025-10-23)SEC-API-03— Synthetic monitoring + alert config (Week 3).
-
Media Pipeline & Storage (Media Services)
- Integrate antivirus/EXIF scrubbers and streaming upload paths to avoid buffering.
- Verify checksum integrity on hot → archive transfers with alert thresholds.
- Surface storage target health (capacity, latency) in Super Admin dashboards.
- Tickets
SEC-MS-01— AV + EXIF scrubber worker integration (Week 1). (Job:ProcessPhotoSecurityScan, queue:media-security)SEC-MS-02— Streaming upload refactor + tests (Week 2). (Requirements draft:docs/todo/media-streaming-upload-refactor.md, 2025-10-23)SEC-MS-03— Checksum validation + alert thresholds (Week 3).SEC-MS-04— Storage health widget in Super Admin (Week 4).
-
Payments & Webhooks (Billing)
- Link Paddle webhooks to checkout sessions with idempotency locks.
- Add signature freshness validation + retry policies for provider outages.
- Pipe failed capture events into credit ledger audits and operator alerts.
- Tickets
SEC-BILL-01— Checkout session linkage + idempotency locks (Week 1).SEC-BILL-02— Signature freshness + retry policy implementation (Week 2).SEC-BILL-03— Failed capture notifications + ledger hook (Week 3).
-
Frontend & CSP (Marketing Frontend)
- Replace
unsafe-inlineallowances with nonce/hash policies for Stripe + Matomo. - Gate analytics script injection behind consent with localised disclosures.
- Broaden cookie banner layout to surface GDPR/legal copy clearly.
- Tickets
SEC-FE-01— CSP nonce/hashing utility + rollout (Week 1).SEC-FE-02— Consent-gated analytics loader refactor (Week 2).SEC-FE-03— Cookie banner UX update + localisation (Week 3).
- Replace
Deliverables
- Updated docs (
docs/prp/09-security-compliance.md, runbooks) with ownership & SLAs. - Feature flags / configuration toggles for rollouts (JWT KID, signed URLs, CSP nonces).
- Monitoring dashboards + alerting coverage per workstream.
- Integration and Playwright coverage validating the hardened flows.