Skip to content

Security: ShivamMathtech/Enterprise-Realtime-Chat-API

Security

SECURITY.md

Security Guide

This repository is an engineering starter, not a compliance certification. Perform threat modeling, penetration testing and privacy review before production use.

Implemented controls

  • Argon2 password hashing
  • Password complexity validation
  • Email verification
  • Account lockout after repeated failures
  • Short-lived JWT access tokens
  • Rotating refresh tokens with family reuse detection
  • MFA using TOTP and one-time backup codes
  • Session/device revocation
  • Scoped API keys stored as hashes
  • RBAC and resource-level membership checks
  • Organization membership isolation
  • Request IDs and security audit logs
  • CORS and trusted-host controls
  • Rate limiting with Redis or local fallback
  • Message ownership and moderator authorization
  • Attachment ownership and checksum checks
  • Upload size limits
  • Soft deletion for messages
  • User blocking and moderation reports
  • Secrets encrypted at rest for MFA configuration

Required production hardening

  • Set long random SECRET_KEY and ENCRYPTION_SECRET values using a secrets manager.
  • Set ENVIRONMENT=production, DEBUG=false and EXPOSE_DEBUG_TOKENS=false.
  • Use TLS for HTTP, WebSocket, PostgreSQL, Redis and object storage.
  • Use secure, HTTP-only cookies for browser refresh tokens or a hardened token vault.
  • Restrict CORS_ORIGINS and TRUSTED_HOSTS.
  • Add CSP at the frontend/reverse proxy.
  • Replace local file serving with private object storage and short-lived signed download URLs.
  • Scan every upload for malware and prohibited content before status becomes ready.
  • Add MIME inspection; never trust only the client-provided MIME type.
  • Add content moderation appropriate to the product and jurisdiction.
  • Add database backups, point-in-time recovery and Redis high availability.
  • Alert on refresh-token reuse, login lockouts, privilege changes, report spikes and outbox failures.
  • Define retention and deletion policies for messages, attachments, audit events and backups.
  • Review lawful-access, encryption and data-residency requirements.

WebSocket protections

  • Access tokens are validated during the handshake.
  • Membership is rechecked for room subscriptions and domain events.
  • Event payload size is limited.
  • Unknown event types and invalid data produce structured errors.
  • A reverse proxy should enforce connection, request and bandwidth limits.
  • Clients should refresh access tokens before reconnecting rather than keeping long-lived tokens.

Reporting vulnerabilities

Do not open public issues for exploitable vulnerabilities. Report them privately to the repository owner with reproduction steps and impact.

There aren't any published security advisories