SOC-ready security.Built in, not bolted on.
Seven layers of security — from network transport to operational controls — implemented, integrated, and auditable before you write your first feature.
Network & Transport secure by default
Every request passes through transport-level protections before it reaches application code.
- HTTPS enforcement in production with secure, httpOnly, sameSite cookies
- Individually configurable rate limiting on signin, password reset and token refresh
- Configurable login throttle guard with exponential backoff
- Sensitive request bodies excluded from HTTP logging via @SkipBodyLogging decorator
Authentication strategies fully configurable
Local login, Google and Microsoft OAuth, SAML, LDAP/Active Directory, and invitation-only signup
- Local auth with bcrypt hashing and password history to prevent reuse
- Google and Microsoft OAuth via Passport.js with encrypted client secrets
- LDAP/Active Directory authentication with configurable bind DN and search filter
- JWT access tokens (15 min) and refresh tokens (7 days) stored in httpOnly cookies
- Token blacklisting (JTI-based) on logout and password change
- Account lockout after 5 failed attempts with 15-minute exponential backoff
- Password policy: minimum 12 characters, uppercase, lowercase, number, special character
- Four signup modes: open registration, domain-restricted, invitation-only, approval-required
Multi-Factor Authentication TOTP, email OTP, backup codes
A complete MFA subsystem with TOTP authenticator apps, email one-time passwords, backup codes, trusted devices, mandatory enforcement for admin roles, and admin emergency controls
- TOTP (RFC 6238) with QR code setup, 30-second time step, and +/-1 window tolerance
- Email OTP with 6-digit codes, expiry, and maximum verification attempts
- Ten backup codes per user in XXXX-XXXX-XXXX format, bcrypt-hashed for storage
- Trusted device management with 14-day trust duration and revocation
- Mandatory MFA configurable per role with configurable grace period
- Admin controls: force-disable user MFA, view adoption metrics, reset grace periods
- MFA recovery flow with recovery email, 24-hour token expiry, and automatic MFA disable on success
- Scheduled cleanup for expired challenges, recovery requests, and trusted devices
Authorization policy engine, not middleware flags
Casbin-powered role-based access control with a five-level role hierarchy, per-endpoint policy definitions, multi-tenant organization scoping, team-based additive roles, and a SOC audit endpoint that exports the full policy map.
- Casbin policy engine with configurable role hierarchy
- Global PolicyGuard (APP_GUARD) enforces authorization on every route automatically
- Centralized policy registry with 56+ core entries covering all controller methods
- Multi-tenant organizations with per-user role assignments (unique per user + org)
- Team-based additive roles — effective role is the highest of direct + all team roles
- SOC audit endpoint: GET /rbac/policies returns the full policy map for compliance review
- Dynamic Casbin rule generation refreshed every 60 seconds
Data Protection AES-256-GCM, multiple key scopes
Transparent field-level encryption. Every read and write is intercepted — encrypting on the way in, decrypting on the way out — with three key scopes, deterministic mode for searchable fields, and versioned keys with rotation support.
- AES-256-GCM encryption with 12-byte IV and 128-bit authentication tag
- Multiple key scopes - PII (user data), MFA (secrets), HIPAA (health data) with ability to configure additional
- Deterministic encryption mode for searchable fields like email (HMAC-derived IV)
- All query operations intercepted: create, update, find, delete, aggregate
- Versioned keys with globally unique key IDs embedded in ciphertext
- Key rotation with batch migration, dry-run mode, pause/resume, and progress tracking
- SMTP passwords, OAuth secrets, and AI API keys encrypted at rest
- You can configure additional fields you wish to encrypt at rest
Alerting, Audit & Compliance 40+ events, built-in alerting
Every security-relevant action is logged with user, IP, user-agent, and metadata. Alerts fire automatically based on configurable severity mappings, with email digest notifications, acknowledgement tracking, and retention policies that distinguish normal events from security events.
- 40+ audit event types: login, password change, MFA toggle, user creation, role change
- Add your own audit and logging events
- Each entry captures userId, organizationId, IP address, user-agent, and metadata
- Organization-scoped audit log access
- Alert severity levels (LOW, MEDIUM, HIGH, CRITICAL) with configurable event-to-severity mappings
- Email digest notifications with per-user interval and minimum severity preferences
- Retention policies: 1 year for normal events, 2 years for security events
- SOC policy export endpoint for auditor review of the full authorization registry
Operational Security leader election, distributed locks
Production-grade operational controls: PostgreSQL advisory lock leader election for single-instance cron execution, distributed transaction locks, automated data retention cleanup, instance and database health monitoring with alerting, and a system reset that requires email verification and typing "ANNIHILATE".
- Leader election via PostgreSQL pg_try_advisory_lock with dedicated connection and retry loop
- Distributed transaction locks (pg_try_advisory_xact_lock) for concurrent operation safety
- Automated daily retention cleanup: expired tokens, old audit logs, soft-deleted records
- Instance health monitoring: CPU (5s/60s averages), RAM, disk with configurable thresholds
- Database health monitoring: connections, cache hit ratio, dead tuples, replication lag, lock waits
- Database restore requires email verification before execution