This document outlines the security measures implemented in the ThewworksICT e-commerce application and provides guidelines for maintaining a secure deployment.

• Supabase Authentication: Using JWT tokens for secure admin access
• Role-based access control: Admin-only endpoints require trusted app_metadata.role=admin or an approved server-side email allowlist
• Token validation: All API requests validated server-side
• Metadata hardening: User-editable user_metadata is never trusted for authorization decisions

• AES-256-GCM Encryption: Customer PII (name, email, phone, address) encrypted at rest
• Secure Key Derivation: HKDF with salt for deriving encryption keys from secrets
• Timing-safe comparison: Constant-time comparison to prevent timing attacks

• Helmet.js: Comprehensive security headers
• Rate Limiting: Configurable rate limits per endpoint
• CSRF Protection: Token-based CSRF validation for state-changing operations
• Signed double-submit tokens: Browser mutations fetch /api/security/csrf-token and echo the signed token in X-XSRF-TOKEN; Paystack webhooks are exempt from CSRF and protected by Paystack signatures
• Input Validation: Zod schema validation on all inputs
• Request Size Limits: Configurable max body size (default: 5MB)

• Paystack Webhook Verification: Signature validation for payment webhooks
• Receipt Token Validation: Secure order lookup using hashed tokens
• Currency Validation: Prevent payment amount manipulation

• CORS: Whitelist-based origin validation
• HSTS: HTTP Strict Transport Security (1 year max-age in production)
• Content Security Policy: Prevent XSS and injection attacks
• Cache Control: Prevent sensitive data caching

• All secrets replaced with production values in .env
• NODE_ENV=production set
• PUBLIC_SITE_URL set to production domain
• CORS_ALLOWED_ORIGINS limited to trusted production origins only
• Database SSL enabled (DATABASE_SSL_MODE=require)
• CSRF_SECRET minimum 32 characters
• PAYSTACK_SECRET_KEY is a live sk_live_... key in production
• Paystack webhook URL configured as /api/payments/paystack/webhook; Paystack signs webhook requests with the live secret key in x-paystack-signature
• npm run security:env:check:production passes against the production environment
• Redis configured for rate limiting (production)
• SSL/TLS certificate configured on load balancer

• WAF enabled (Cloudflare, AWS WAF, etc.)
• DDoS protection enabled
• Database in private subnet
• API only accessible via load balancer
• Backups configured
• Logging and monitoring active

• Security alerting configured
• Error logging active
• Performance monitoring
• Uptime monitoring

The application sets the following security headers:

• Mitigation: Parameterized queries via pg library
• Status: ✅ Protected

• Mitigation: Content Security Policy, input sanitization
• Status: ✅ Protected

• Mitigation: CSRF token validation
• Status: ✅ Protected

• Mitigation: X-Frame-Options: DENY
• Status: ✅ Protected

• Mitigation: HSTS, TLS 1.2+
• Status: ✅ Protected

• Mitigation: Rate limiting, WAF
• Status: ✅ Protected (with Redis/WAF)

• Mitigation: Paystack signature verification, receipt tokens
• Status: ✅ Protected

• Mitigation: AES-256-GCM encryption for PII
• Status: ✅ Protected

If you discover a security vulnerability, please report it to: stankingshomevalue@gmail.com

We appreciate responsible disclosure and will work to address issues promptly.

Regular security audits are recommended:

npm run security:audit

Update dependencies regularly:

npm update
npm run security:audit:fix

This security documentation is part of the ThewworksICT e-commerce application.