73 lines
3.4 KiB
Markdown
73 lines
3.4 KiB
Markdown
# Backend: Security (Template)
|
||
|
||
---
|
||
**Last Updated:** 2025-01-17
|
||
**Phase:** Phase 0 (Planning)
|
||
**Status:** Draft — finalize in Phase 1
|
||
**Owner:** Backend Architect, Security
|
||
**References:**
|
||
- `/docs/backend/architecture.md`
|
||
- `/docs/backend/payment-flow.md`
|
||
- `/docs/backend/api-design.md`
|
||
---
|
||
|
||
## 1. Goals
|
||
- Protect sensitive data and ensure tenant isolation.
|
||
- Secure integrations (webhooks/OAuth) and billing.
|
||
- Maintain auditability for all automated and manual actions.
|
||
|
||
## 2. Authentication & Authorization
|
||
- Use managed auth (Clerk/Auth.js or equivalent) with secure sessions/tokens.
|
||
- Enforce tenant-scoped RBAC; validate tenant context on every request.
|
||
- Rate limit auth endpoints; protect refresh flows.
|
||
|
||
## 3. Data Protection
|
||
- TLS everywhere; secure headers.
|
||
- Least-privilege DB roles; encrypt secrets at rest; rotate keys.
|
||
- Avoid logging sensitive payloads (bank data, webhook bodies, LLM prompts/responses beyond trace references).
|
||
- Store `reasoning_trace` JSONB with care; avoid PII in traces.
|
||
|
||
## 4. Integrations & Webhooks
|
||
- Verify signatures for all inbound webhooks (external providers, payment provider); reject invalid; log with trace IDs.
|
||
- Idempotent processing with event ID dedupe; dead-letter queue for failures.
|
||
- Expose webhook URLs only over HTTPS; regenerate secrets on rotation.
|
||
|
||
## 5. Payments (provider‑agnostic)
|
||
- Use provider‑hosted Checkout/Portal; never handle raw card data.
|
||
- Store minimal billing identifiers (customer/subscription IDs, status, timestamps, plan/price).
|
||
- Enforce access based on subscription state; deny actions when inactive.
|
||
|
||
## 6. LLM Safety
|
||
- All LLM calls go through a single helper; centralize redaction, logging, and parameter control.
|
||
- Strip/obfuscate sensitive fields before sending to LLM; log only references in traces.
|
||
- Detailed LLM safety and `reasoning_trace` policy live in `/docs/llm/safety.md`.
|
||
|
||
### 6.1 AI‑Specific Threats & Controls (summary)
|
||
These apply to any archetype that uses LLMs or RAG.
|
||
|
||
- **Prompt injection / jailbreak**
|
||
- Treat all user input and retrieved content as **untrusted**.
|
||
- Delimit untrusted blocks explicitly and never allow them to override system constraints.
|
||
- Detect injection patterns; on suspicion → refuse or route to human review.
|
||
- **Outbound‑data policy**
|
||
- Use **allowlists** for what may be sent to the model.
|
||
- Mandatory redaction pipeline before every LLM call (PII/PHI/PCI/secrets).
|
||
- Never send cross‑tenant data; never send raw billing/auth secrets.
|
||
- **Output validation**
|
||
- Validate model outputs against strict schemas (types, enums, bounds).
|
||
- Reject/repair invalid outputs; fall back to safe defaults or human checkpoints for high‑risk actions.
|
||
- For agentic tools: validate tool arguments and enforce per‑tool scopes.
|
||
- **Trusted vs untrusted context (RAG)**
|
||
- Retrieved documents are untrusted unless curated.
|
||
- Keep retrieval tenant‑scoped; record only doc IDs in traces.
|
||
- If grounding is required and context is insufficient → ask user or defer.
|
||
|
||
## 7. Audit & Events
|
||
- Log domain events to `EventLog` with `source_agent`; include user ID, tenant, timestamps, and relevant context.
|
||
- Provide read-only `/api/events` with pagination and filtering; protect by tenant/role.
|
||
|
||
## 8. Common Controls
|
||
- OWASP Top 10 coverage (SQLi, XSS, CSRF, IDOR, SSRF, etc.).
|
||
- Input validation on all external inputs; use allowlists for redirects/URLs.
|
||
- Backup/restore plan and monitoring/alerting for infra and queues.
|