create AI_template
This commit is contained in:
olekhondera
51
docs/backend/security.md
Normal file
51
docs/backend/security.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# Backend: Security (Template)
|
||||
|
||||
---
|
||||
**Last Updated:** 2025-01-17
|
||||
**Phase:** Phase 0 (Planning)
|
||||
**Status:** Draft — finalize in Phase 1
|
||||
**Owner:** Backend Architect, Security
|
||||
**References:**
|
||||
- `/docs/backend/architecture.md`
|
||||
- `/docs/backend/payment-flow.md`
|
||||
- `/docs/backend/api-design.md`
|
||||
---
|
||||
|
||||
## 1. Goals
|
||||
- Protect sensitive data and ensure tenant isolation.
|
||||
- Secure integrations (webhooks/OAuth) and billing.
|
||||
- Maintain auditability for all automated and manual actions.
|
||||
|
||||
## 2. Authentication & Authorization
|
||||
- Use managed auth (Clerk/Auth.js or equivalent) with secure sessions/tokens.
|
||||
- Enforce tenant-scoped RBAC; validate tenant context on every request.
|
||||
- Rate limit auth endpoints; protect refresh flows.
|
||||
|
||||
## 3. Data Protection
|
||||
- TLS everywhere; secure headers.
|
||||
- Least-privilege DB roles; encrypt secrets at rest; rotate keys.
|
||||
- Avoid logging sensitive payloads (bank data, webhook bodies, LLM prompts/responses beyond trace references).
|
||||
- Store `reasoning_trace` JSONB with care; avoid PII in traces.
|
||||
|
||||
## 4. Integrations & Webhooks
|
||||
- Verify signatures for all inbound webhooks (external providers, payment provider); reject invalid; log with trace IDs.
|
||||
- Idempotent processing with event ID dedupe; dead-letter queue for failures.
|
||||
- Expose webhook URLs only over HTTPS; regenerate secrets on rotation.
|
||||
|
||||
## 5. Payments (provider‑agnostic)
|
||||
- Use provider‑hosted Checkout/Portal; never handle raw card data.
|
||||
- Store minimal billing identifiers (customer/subscription IDs, status, timestamps, plan/price).
|
||||
- Enforce access based on subscription state; deny actions when inactive.
|
||||
|
||||
## 6. LLM Safety
|
||||
- All LLM calls go through a single helper; centralize redaction, logging, and parameter control.
|
||||
- Strip/obfuscate sensitive fields before sending to LLM; log only references in traces.
|
||||
|
||||
## 7. Audit & Events
|
||||
- Log domain events to `EventLog` with `source_agent`; include user ID, tenant, timestamps, and relevant context.
|
||||
- Provide read-only `/api/events` with pagination and filtering; protect by tenant/role.
|
||||
|
||||
## 8. Common Controls
|
||||
- OWASP Top 10 coverage (SQLi, XSS, CSRF, IDOR, SSRF, etc.).
|
||||
- Input validation on all external inputs; use allowlists for redirects/URLs.
|
||||
- Backup/restore plan and monitoring/alerting for infra and queues.
|
||||
Reference in New Issue
Block a user