Quick reference for security implementations in Interview Optimiser.
- Status: ✅ Implemented
- Pattern: Double-submit cookie with signed tokens
- Quick Use: Replace
fetch()withsecureFetch()
- Status: ✅ Implemented
- Pattern: HMAC signature verification
- Providers: Clerk, Stripe, custom webhooks
- Status: ✅ Implemented
- Backend: Upstash Redis
- Limits: 60 req/min (API), 10 req/10min (uploads)
- ✅ Clerk authentication integrated
- ✅ User session management
- ✅ Role-based access control (via organizations)
- ✅ Secure token storage
- ✅ CSRF protection on state-changing requests
- ✅ Rate limiting on all endpoints
- ✅ Input validation with Zod schemas
- ✅ SQL injection prevention (Drizzle ORM)
- ✅ XSS protection (React automatic escaping)
- ✅ HTTPS enforced in production
- ✅ Secure cookies with httpOnly, secure, sameSite
- ✅ Environment variables via Doppler
- ✅ S3 presigned URLs for file access
- ✅ Database connection pooling
- ✅ Sentry error tracking
- ✅ Structured logging with Pino
⚠️ Security event logging (partial)⚠️ Audit trail (planned)
- DO NOT create public GitHub issues
- Email security concerns to: interviewoptimiser@bhekani.com
- Include: Description, steps to reproduce, impact assessment
# Generate new secret
openssl rand -base64 32
# Update in Doppler
doppler secrets set CSRF_SECRET=<new-secret>
# Restart applicationEdit src/lib/rate-limit.ts:
export const rateLimits = {
api: { requests: 60, window: 60 },
upload: { requests: 10, window: 600 },
// Add custom limits here
};All webhooks automatically verify signatures. To add a new provider:
- Add verification logic to
src/lib/webhook-security.ts - Configure secret in Doppler
- Test with webhook testing tool
- Report: security-audit-report.md
- Critical Issues: 0
- High Issues: 2 (fixed)
- Medium Issues: 5 (3 fixed, 2 in progress)
- Low Issues: 8 (monitoring)
- 2025-09: Migrated from Vercel KV to Upstash Redis for rate limiting
- 2025-08: Implemented CSRF protection across all endpoints
- 2025-07: Added webhook signature verification
- 2025-06: Initial security audit completed
- OWASP Top 10 Checklist
- Next.js Security Best Practices
- Clerk Security Documentation
- AWS S3 Security Best Practices
For detailed implementation guides, see the individual security documentation files linked above.