Skip to content

Security

Built for the security review

Malai retires the table-stakes objections up front. Each row is a standards-language claim, with the evidence that supports it sitting beside it — nothing on this list is asking you to take it on faith.

minimum at every edge
TLS 1.2+
1-year max-age, includeSubdomains
HSTS preload
plus IP reputation & rate limiting
OWASP CRS
no shared service secret
Per-task identity

Identity & access

Who can speak to the system, how their tokens are minted, and what stops a stolen credential from going anywhere.

  • Authentication

    Short-lived JWT bearer tokens, signed with a managed key, validated on every request. The customer-facing app never holds a long-lived credential.

    Token lifetime measured in minutes; refresh is server-side.

  • Sign-in hardening

    Every sign-in runs through compromised-credentials detection and adaptive risk scoring. Optional TOTP MFA is available, and the password policy requires at least twelve characters with mixed case, numbers and symbols.

    Adaptive auth is enforced, not advisory — high-risk sign-ins are blocked.

  • Authorization

    RBAC enforced at the API, with module fences enforced at build time so a call that should never cross a domain cannot compile.

    Module fences fail the build, not just the test.

  • Inter-service authentication

    Services authenticate to each other with OAuth2 client credentials. A compromised internal client cannot impersonate a user, and a compromised user token cannot reach internal-only routes.

    OAuth 2.0 Client Credentials Grant — RFC 6749 §4.4

  • Defence-in-depth token verification

    Every JWT is verified twice — once by the edge gateway against the issuer's JWKS, and again inside the service. Bypassing the gateway does not bypass the service; bypassing the service does not bypass the gateway.

    Signature, expiry, audience and issuer are checked at both layers.

Data protection

Keys, secrets, database roles and the audit trail — what's encrypted, what's append-only, who can touch which row.

  • Encryption at rest

    Database, object storage, log streams and the image registry all use customer-managed keys. Plaintext is not written to disk at any layer.

    Key rotation runs on a managed schedule; rotation is transparent to the app.

  • Secrets management

    A managed secret store holds every credential. Each task runs under its own identity; no plaintext secret is ever baked into an image or an env file.

    Per-task identity means a leaked process secret revokes one task, not the fleet.

  • Database role separation

    The application connects with a least-privilege role — INSERT/SELECT only on the audit log, no DDL anywhere. Migrations run under a separate, privileged role that the runtime never holds.

    The database master credential auto-rotates on a managed schedule and a redeploy picks it up without manual intervention.

  • Append-only audit

    Every ledger event is appended to a hash-chained, tamper-evident log. Replaying the chain reproduces the balance.

    A sanitised audit row sample lands with the evidence pass.

Edge & network

What a request meets before it reaches application code — TLS, WAF rules, security headers, and a database that has no public address.

  • TLS at the edge

    Every origin is HTTPS-only with TLS 1.2 as the floor. HSTS is set with a one-year max-age and preload, and HTTP/2 plus HTTP/3 are negotiated where the client supports them.

    External TLS scan link lands with the evidence pass.

  • Managed WAF at the edge

    Public origins sit behind a managed WAF with the OWASP core rule set, the known-bad-inputs rule set and an IP reputation list. A per-IP rate-limit rule caps abusive traffic before it reaches the application.

    Rule sets are vendor-maintained; the application never has to ship a patch to keep up with a new exploit family.

  • Security headers at the cache layer

    HSTS, a per-app Content-Security-Policy, X-Frame-Options: DENY and X-Content-Type-Options: nosniff are stamped on every response by the edge cache. A misconfigured application cannot strip them.

    Header policy lives in infrastructure code, not application code.

  • Private database

    The database has no public network address. It is reachable only from inside the private network, and only from the application's security group on the database port — nothing else.

    TLS to the database is enforced at the engine level, not just at the client.

Operational integrity

What stops a retried write from double-spending, and what surfaces an incident before a customer reports it.

  • Idempotency

    Synchronous and asynchronous write paths take an Idempotency-Key header. Replaying a mutation inside a 24-hour window returns the original result instead of a second side-effect.

    The same key is honoured across retries from clients, queues and back-pressured workers.

  • Encrypted, correlated, alarmed logging

    Every request carries a correlation id that travels through traces, metrics and structured logs. Log streams are encrypted with managed keys, and an alarm fires when the error rate crosses a threshold.

    Traces, RED-method metrics and JSON logs are emitted by every service.