This repository is an engineering starter, not a compliance certification. Perform threat modeling, penetration testing and privacy review before production use.
- Argon2 password hashing
- Password complexity validation
- Email verification
- Account lockout after repeated failures
- Short-lived JWT access tokens
- Rotating refresh tokens with family reuse detection
- MFA using TOTP and one-time backup codes
- Session/device revocation
- Scoped API keys stored as hashes
- RBAC and resource-level membership checks
- Organization membership isolation
- Request IDs and security audit logs
- CORS and trusted-host controls
- Rate limiting with Redis or local fallback
- Message ownership and moderator authorization
- Attachment ownership and checksum checks
- Upload size limits
- Soft deletion for messages
- User blocking and moderation reports
- Secrets encrypted at rest for MFA configuration
- Set long random
SECRET_KEYandENCRYPTION_SECRETvalues using a secrets manager. - Set
ENVIRONMENT=production,DEBUG=falseandEXPOSE_DEBUG_TOKENS=false. - Use TLS for HTTP, WebSocket, PostgreSQL, Redis and object storage.
- Use secure, HTTP-only cookies for browser refresh tokens or a hardened token vault.
- Restrict
CORS_ORIGINSandTRUSTED_HOSTS. - Add CSP at the frontend/reverse proxy.
- Replace local file serving with private object storage and short-lived signed download URLs.
- Scan every upload for malware and prohibited content before status becomes
ready. - Add MIME inspection; never trust only the client-provided MIME type.
- Add content moderation appropriate to the product and jurisdiction.
- Add database backups, point-in-time recovery and Redis high availability.
- Alert on refresh-token reuse, login lockouts, privilege changes, report spikes and outbox failures.
- Define retention and deletion policies for messages, attachments, audit events and backups.
- Review lawful-access, encryption and data-residency requirements.
- Access tokens are validated during the handshake.
- Membership is rechecked for room subscriptions and domain events.
- Event payload size is limited.
- Unknown event types and invalid data produce structured errors.
- A reverse proxy should enforce connection, request and bandwidth limits.
- Clients should refresh access tokens before reconnecting rather than keeping long-lived tokens.
Do not open public issues for exploitable vulnerabilities. Report them privately to the repository owner with reproduction steps and impact.