FretPulse EngineReport an issue
Security

Security Overview

This page summarizes the security controls currently implemented in the product and distinguishes them from ISO and privacy requirements that still need organizational evidence.

Implemented App Controls

The items below are materially present in the current codebase, compose stack, CI configuration, or user-facing security flows.

  • JWT cookie auth with revocation, single-session enforcement, issuer/audience/nbf validation, and HttpOnly cookie transport.
  • Role and ownership checks on protected resources, admin-only routes, and storage access paths.
  • Argon2id password hashing, account lockout, auth throttling, and reduced account-enumeration signals.
  • CSRF origin validation for unsafe cookie-authenticated requests plus strict CORS and trusted-host enforcement.
  • Upload MIME validation, quarantine flow, asynchronous ClamAV scanning, and malicious-file retention handling.
  • Generic client-safe errors with request correlation IDs and reduced filesystem/tool detail exposure.
  • Data minimization on file and bug-report APIs so storage paths and raw fingerprints are not exposed to users.
  • Secure response headers, cache suppression on sensitive auth flows, and hardened reverse-proxy topology.
  • CI security scanning with bandit, pip-audit, npm audit, semgrep, gitleaks, trivy, and Dependabot updates.
Access Governance
A documented role matrix now defines what user, moderator, and admin accounts can do across API surfaces.
Access-control review mapped file/job/artifact/storage/admin routes to ownership or role guards in the request or service layer.
SQL-injection review found ORM/statement-based DB access in request paths rather than interpolated raw SQL strings.
Standards Evidence

ISO/IEC 27034 application security

Partially evidenced in code

Secure coding, auth, session handling, input validation, deployment hardening, and scanning are implemented, but a formal organizational application security framework is not fully documented in-repo.

ISO/IEC 27001 / 27002 / 27003 / 27005

Not fully evidenced from code

The repo shows many technical controls, but certification-level ISMS scope, risk register, statement of applicability, treatment plan, and management governance evidence are still process work.

ISO/IEC 27701 / 29100 / 29134 / 29151

Partially evidenced

There are privacy, retention, and consent documents, but a full PIMS, PII inventory, privacy impact assessment evidence, and privacy control ownership are not yet complete.

ISO/IEC 29147 / 30111

Partially evidenced

A disclosure policy and RFC 9116 security.txt are now published, but a final production mailbox, triage SLA, and documented intake workflow still need to be finalized.

ISO 22301 / ISO/IEC 27031 / 27035 / 27037-27043

Mostly organizational gap

The repo includes health checks, backup guidance, and retention operations, but formal continuity, incident response, digital evidence, and investigation procedures need operational documentation and rehearsal.