Security
Security is built into every layer of Intrex. From authentication to data isolation, we implement defense-in-depth to protect your compliance data.
Security Model Overview
Authentication
JWT-based session management with secure cookie storage
- HS256-signed JWT tokens
- 24-hour session expiration with auto-refresh
- HTTP-only, Secure, SameSite=Lax cookies
- Password hashing with bcrypt (salt rounds: 10)
Authorization
Role-based access control with three permission tiers
- Head Office Admin: Full access
- Branch Manager: Branch-scoped access
- Operator: Task-level access
- Server-side permission enforcement
Data Isolation
Row Level Security ensures tenant data separation
- RLS policies on all tenant tables
- Automatic tenant context injection
- Users cannot access other tenant data
- Cascading deletes for data cleanup
Encryption
Sensitive data encrypted at rest and in transit
- AES-256-GCM for connector secrets
- TLS 1.2+ for all connections
- Database connections encrypted
- Webhook HMAC-SHA256 signing
Session Security
Sessions use industry-standard JWT with secure configuration:
// Cookie configuration
{
httpOnly: true, // Not accessible via JavaScript
secure: true, // HTTPS only
sameSite: 'lax', // CSRF protection
maxAge: 86400 // 24 hours
}
// JWT configuration
{
algorithm: 'HS256',
expiration: '1 day',
secret: 32+ characters
}Row Level Security
PostgreSQL RLS policies enforce tenant isolation at the database level:
-- Example RLS policy
CREATE POLICY tenant_isolation ON obligation_instances
FOR ALL
USING (tenant_id = current_setting('app.current_tenant')::uuid);
-- Applied to all tenant tables:
-- - obligation_instances
-- - branches
-- - domains
-- - connectors
-- - notification_events
-- - etc.Connector Security
Notification connector credentials are encrypted before storage:
- • Encryption: AES-256-GCM with random IV
- • Key Management: AUTH_SECRET used as encryption key
- • Decryption: Only performed server-side when sending
- • Storage: Never store plaintext credentials
Webhook Security
Outgoing webhooks include HMAC-SHA256 signatures for verification:
// Webhook payload signature
X-Intrex-Signature: sha256=<hmac_hex>
// Verification (receiver side)
expected = HMAC_SHA256(payload, webhook_secret)
secure_compare(received_signature, expected)Security Headers
Application sends security headers on all responses:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-originProduction Hardening
Database Security
- ✓ Enable RLS policies on all tables
- ✓ Use connection pooling for serverless
- ✓ Configure backup retention (7+ days)
- ✓ Enable Point-in-Time Recovery (PITR)
- ✓ Restrict database access by IP
Application Security
- ✓ Use strong AUTH_SECRET (32+ chars)
- ✓ Enable secure cookie settings
- ✓ Configure CORS properly
- ✓ Set up rate limiting
- ✓ Use production SMTP (not test)
Infrastructure
- ✓ HTTPS with valid SSL certificate
- ✓ HSTS headers enabled
- ✓ Security headers configured
- ✓ Error monitoring (Sentry)
- ✓ Logging to external service
Operational
- ✓ Regular security audits
- ✓ Dependency updates (monthly)
- ✓ Access review (quarterly)
- ✓ Incident response plan
- ✓ Data retention policies
Pre-Launch Security Checklist
Security Best Practices
Never commit .env files. Use strong, unique secrets for production. Rotate secrets regularly.
Keep dependencies updated. Monitor security advisories. Enable Dependabot alerts.
Audit user roles quarterly. Remove unused accounts. Enforce least privilege.
Regular database backups. Test restore procedures. Store backups in separate region.
Set up alerts for failed logins, errors, and anomalies. Monitor SSL expiry.
Enforce HTTPS in production. Use HSTS headers. Redirect HTTP to HTTPS.