Security
Security best practices and features for protecting your ATStatus application.
Security Features
Role-Based Access Control
Fine-grained permission system
Secure Sessions
Encrypted session management
Input Validation
Protection against injection attacks
Rate Limiting
Protection against abuse
Audit Logging
Track all changes and actions
CSRF Protection
Cross-site request forgery protection
Authentication
Authentication uses a custom session-based system with secure cookie management:
Secure password hashing with bcrypt
HMAC-signed session tokens
Server-side session storage
Automatic session expiration (24h)
Secure cookie settings in production
Optional two-factor authentication (TOTP)
Role-Based Access Control
The RBAC system provides four default roles with hierarchical permissions. See full RBAC documentation →
OWNERFull system access
ADMINAdministrative access
MEMBERStandard team access
READ_ONLYView-only access
Audit Logging
All significant actions are logged for compliance. IP addresses and sensitive data in audit logs are only visible to users with
AUDIT_VIEW_SENSITIVE permission.Deployment Best Practices
- Always use HTTPS in production
- Set strong SESSION_SECRET (min 32 characters)
- Change default admin password immediately
- Keep dependencies updated
- Use environment variables for secrets
- Enable rate limiting
API Key Best Practices
- Use scoped API keys when possible
- Set expiration dates on keys
- Rotate keys regularly
- Revoke unused keys
Security Vulnerabilities: If you discover a security vulnerability, please report it responsibly. Do not create public issues for security problems.