Security Implementation Guide
Overviewβ
This document provides detailed implementation specifications for enhancing the Attune Logic API security to match industry standards used by platforms like Twitter/Instagram.
Current API Analysisβ
Existing Security Architectureβ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Client App βββββΆβ Rate Limiter βββββΆβ Auth Layer β
β (Web/Mobile) β β (NOT PRESENT) β β (JWT + Refresh) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Database ββββββ Controllers ββββββ Middleware β
β (Multi-tenant) β β (Business Logic)β β (Helmet, CORS) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
Security Gaps Analysisβ
| Feature | Current State | Industry Standard | Priority |
|---|---|---|---|
| Rate Limiting | β Not implemented | β Multi-level (IP, User, Endpoint) | HIGH |
| Brute Force Protection | β Not implemented | β Progressive delays + lockouts | HIGH |
| Session Security | β οΈ Basic JWT only | β IP validation + device fingerprinting | HIGH |
| Audit Logging | β οΈ Performance only | β Comprehensive security events | MEDIUM |
| Token Security | β οΈ 4h expiration | β 15-30min with rotation | MEDIUM |
| Input Validation | β οΈ Schema validation | β Sanitization + XSS protection | HIGH |
| CSRF Protection | β Not implemented | β Token-based protection | HIGH |
| Security Headers | β οΈ Basic Helmet | β Enhanced CSP + HSTS | MEDIUM |
Phase 1: Foundation Security Implementationβ
1. Rate Limiting Systemβ
Architecture Designβ
// Rate Limiter Hierarchy
Global Rate Limiter (by IP)
βββ Per-User Rate Limiter
β βββ Login endpoints (stricter)
β βββ Write operations (medium)
β βββ Read operations (relaxed)
βββ Per-Endpoint Rate Limiter
βββ /api/v1/account/login (5 req/15min)
βββ /api/v1/jobs/* (100 req/15min)
βββ /api/v1/media/upload (10 req/15min)
Implementation Specificationsβ
// File: middlewares/rateLimiter.js
const rateLimit = require("express-rate-limit");
const RedisStore = require("rate-limit-redis");
// Rate Limiting Configuration
const rateLimits = {
global: {
windowMs: 15 * 60 * 1000, // 15 minutes
max: 1000, // requests per window
message: "Too many requests from this IP",
},
login: {
windowMs: 15 * 60 * 1000,
max: 5, // Very strict for login
skipSuccessfulRequests: true,
message: "Too many login attempts",
},
api: {
windowMs: 15 * 60 * 1000,
max: 100, // Per authenticated user
keyGenerator: (req) => req.user?.id || req.ip,
message: "API rate limit exceeded",
},
};
Industry Comparisonβ
- Twitter: 300 requests/15min for most endpoints
- Instagram: 200 requests/hour for Graph API
- Our Target: 100 requests/15min (more restrictive for security)
2. Brute Force Protectionβ
Attack Patterns to Preventβ
- Credential Stuffing: Automated login attempts with stolen credentials
- Dictionary Attacks: Systematic password guessing
- Distributed Attacks: Coordinated attacks from multiple IPs
Implementation Strategyβ
// File: middlewares/bruteForceProtection.js
const bruteForceConfig = {
// Progressive delays
failedAttempts: {
1: 0, // No delay for first attempt
2: 1000, // 1 second delay
3: 5000, // 5 second delay
4: 30000, // 30 second delay
5: 300000, // 5 minute delay
6: 3600000, // 1 hour delay
},
// Account lockout
lockout: {
maxAttempts: 5,
duration: 24 * 60 * 60 * 1000, // 24 hours
progressiveIncrease: true,
},
// IP-based blocking
ipBlocking: {
maxFailures: 50, // per IP
blockDuration: 60 * 60 * 1000, // 1 hour
},
};
3. Enhanced Security Headersβ
Current vs. Enhanced Configurationβ
// Current (basic)
helmet({
crossOriginResourcePolicy: false,
frameguard: false,
});
// Enhanced (Twitter/Instagram style)
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
crossOriginResourcePolicy: { policy: "cross-origin" },
hsts: {
maxAge: 31536000, // 1 year
includeSubDomains: true,
preload: true,
},
referrerPolicy: { policy: "strict-origin-when-cross-origin" },
});
4. CSRF Protectionβ
Implementation for Multi-Tenant SaaSβ
// File: middlewares/csrfProtection.js
const csrf = require("csurf");
const csrfProtection = csrf({
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === "production",
sameSite: "strict",
maxAge: 3600000, // 1 hour
},
// Skip for API endpoints, use for web form submissions
ignoreMethods: ["GET", "HEAD", "OPTIONS"],
// Custom token validation for SPA
value: (req) => {
return (
req.body._token ||
req.query._token ||
req.headers["x-csrf-token"] ||
req.headers["csrf-token"]
);
},
});
Phase 2: Advanced Security Implementationβ
1. Session Security Enhancementβ
IP-Based Session Validationβ
// File: middlewares/sessionSecurity.js
const sessionSecurityConfig = {
// IP validation
ipValidation: {
enabled: true,
allowSubnetChange: false, // Strict for business users
logSuspiciousActivity: true,
},
// Device fingerprinting
deviceFingerprinting: {
enabled: true,
factors: [
"userAgent",
"acceptLanguage",
"screenResolution",
"timezone",
"platform",
],
},
// Session concurrency
concurrency: {
maxSessions: 5, // Per user
enforceLimit: true,
terminateOldest: true,
},
};
Twitter/Instagram Comparisonβ
- Twitter: Detects unusual login locations
- Instagram: Requires email verification for new devices
- Our Implementation: IP + device fingerprinting with alerts
2. Comprehensive Audit Loggingβ
Security Events to Logβ
// File: models/SecurityLog.js
const securityEventTypes = {
AUTH_SUCCESS: "Authentication successful",
AUTH_FAILURE: "Authentication failed",
AUTH_LOCKOUT: "Account locked due to failed attempts",
SESSION_CREATED: "New session created",
SESSION_TERMINATED: "Session terminated",
RATE_LIMIT_EXCEEDED: "Rate limit exceeded",
SUSPICIOUS_ACTIVITY: "Suspicious activity detected",
TOKEN_REFRESH: "Token refreshed",
TOKEN_REVOKED: "Token revoked",
PERMISSION_DENIED: "Permission denied",
DATA_ACCESS: "Sensitive data accessed",
CONFIGURATION_CHANGE: "System configuration changed",
};
// Audit log structure
const auditLogSchema = {
timestamp: Date,
eventType: String,
userId: ObjectId,
userEmail: String,
ipAddress: String,
userAgent: String,
resource: String,
action: String,
result: String, // SUCCESS/FAILURE/BLOCKED
details: Object,
severity: String, // LOW/MEDIUM/HIGH/CRITICAL
parentCompany: ObjectId,
sessionId: String,
deviceFingerprint: String,
};
3. Token Security Improvementsβ
Enhanced Token Strategyβ
// File: services/tokenSecurity.js
const tokenSecurityConfig = {
// Reduced expiration times
expiration: {
accessToken: "15m", // Reduced from 4h
refreshToken: "2h", // Reduced from 8h (web)
mobileRefresh: "7d", // Reduced from 10d
},
// Token rotation
rotation: {
enabled: true,
rotateOnRefresh: true,
maxRefreshCount: 5,
invalidateOnSuspicious: true,
},
// Enhanced payload
payload: {
includeFingerprint: true,
includeIpAddress: true,
includeLocation: true,
includeTenant: true,
},
};
Phase 3: Industry-Specific Securityβ
1. Trucking Industry Complianceβ
DOT Compliance Requirementsβ
// File: middlewares/truckingCompliance.js
const truckingSecurityConfig = {
// Driver privacy protection
driverPrivacy: {
maskPII: true,
limitDataRetention: true,
encryptSensitiveData: true,
},
// Vehicle tracking security
vehicleTracking: {
encryptLocation: true,
limitHistoryAccess: true,
requireAuthForTracking: true,
},
// Hours of service protection
hosProtection: {
tamperDetection: true,
auditTrail: true,
supervisorAccess: true,
},
};
2. Service Industry Complianceβ
Customer Data Protectionβ
// File: middlewares/serviceCompliance.js
const serviceSecurityConfig = {
// Customer PII protection
customerPII: {
encryptAtRest: true,
encryptInTransit: true,
maskInLogs: true,
limitAccess: true,
},
// Technician access controls
technicianAccess: {
locationBasedAuth: true,
workOrderAccess: true,
customerDataLimits: true,
},
// Service location security
locationSecurity: {
geofencing: true,
accessTimeWindows: true,
supervisorNotification: true,
},
};
Implementation Prioritiesβ
Week 1-2: Foundationβ
- Rate Limiting - Prevents API abuse
- Brute Force Protection - Prevents credential attacks
- Enhanced Headers - Prevents XSS/CSRF
- Input Validation - Prevents injection attacks
Week 3-4: Advancedβ
- Session Security - Prevents session hijacking
- Audit Logging - Enables threat detection
- Token Security - Reduces attack window
- Monitoring - Real-time threat response
Week 5-6: Industryβ
- Compliance Features - Industry-specific requirements
- Advanced Monitoring - Threat intelligence
- Performance Optimization - Minimize security overhead
Testing Strategyβ
Security Testing Frameworkβ
// File: tests/security/security-test-suite.js
const securityTests = {
rateLimiting: [
"should block after rate limit exceeded",
"should reset rate limit after window",
"should handle distributed attacks",
],
authentication: [
"should prevent brute force attacks",
"should lock accounts after failed attempts",
"should validate session IP consistency",
],
authorization: [
"should enforce role-based access",
"should prevent privilege escalation",
"should validate tenant isolation",
],
inputValidation: [
"should sanitize all inputs",
"should prevent XSS attacks",
"should prevent SQL injection",
],
};
Performance Testingβ
// Load testing with security features
const performanceTests = {
baseline: "Measure without security features",
withSecurity: "Measure with all security features",
targetMetrics: {
responseTime: "<= 5% increase",
throughput: "No decrease",
memoryUsage: "<= 10% increase",
},
};
Monitoring and Alertingβ
Security Metrics Dashboardβ
// File: services/securityMetrics.js
const securityMetrics = {
realTime: [
"Active sessions",
"Failed login attempts",
"Rate limit violations",
"Suspicious activities",
],
daily: [
"Security events summary",
"Top attacking IPs",
"Most targeted endpoints",
"User behavior anomalies",
],
weekly: [
"Security trends",
"Compliance status",
"Performance impact",
"Threat landscape",
],
};
Alert Configurationsβ
// File: config/securityAlerts.js
const alertConfig = {
critical: {
multipleFailedLogins: 5,
suspiciousLocationLogin: true,
rateLimitExceeded: 10,
systemConfigurationChange: true,
},
warning: {
unusualUserBehavior: true,
highErrorRate: 0.1,
performanceImpact: 0.05,
},
info: {
newDeviceLogin: true,
successfulLogin: false,
apiUsageSpikes: true,
},
};
Integration Pointsβ
Database Schema Updatesβ
-- Security logs table
CREATE TABLE security_logs (
id SERIAL PRIMARY KEY,
timestamp TIMESTAMP DEFAULT NOW(),
event_type VARCHAR(50),
user_id UUID,
ip_address INET,
user_agent TEXT,
resource VARCHAR(255),
action VARCHAR(50),
result VARCHAR(20),
details JSONB,
severity VARCHAR(20),
parent_company UUID
);
-- Session security table
CREATE TABLE session_security (
id SERIAL PRIMARY KEY,
user_id UUID,
session_id VARCHAR(255),
ip_address INET,
device_fingerprint VARCHAR(255),
created_at TIMESTAMP DEFAULT NOW(),
last_activity TIMESTAMP DEFAULT NOW(),
is_active BOOLEAN DEFAULT TRUE
);
API Changesβ
// New security endpoints
app.post("/api/v1/security/report-suspicious", reportSuspiciousActivity);
app.get("/api/v1/security/session-status", getSessionStatus);
app.post("/api/v1/security/terminate-session", terminateSession);
app.get("/api/v1/security/audit-log", getAuditLog);
Success Criteriaβ
Technical Successβ
- 99.9% uptime maintained with security features
- < 5% performance degradation
- Zero successful brute force attacks
- 100% security event coverage in logs
Business Successβ
- Improved customer trust scores
- Industry compliance certification
- Reduced security incident response time
- Enhanced competitive positioning
Operational Successβ
- Security team confidence in monitoring
- Automated threat response capability
- Comprehensive audit trail for compliance
- Proactive threat detection
This implementation guide serves as the technical blueprint for enhancing API security. Each section should be implemented incrementally with proper testing and monitoring at each phase.