Security Architecture

Secure-by-design controls for European enterprise expectations. No system is "100% secure" — security is a continuous process of layered, verifiable controls, not a one-time claim. Below is what this starter implements today, and what a production rollout should add.

Implemented in this codebase

Strict Content-Security-Policy, HSTS, COOP/COEP/CORP headers (next.config.js)
Per-client rate limiting on all API routes (lib/security.ts)
IP addresses are salted-hashed, never stored raw (GDPR/FADP-safe)
Pseudonymous, append-only audit logging on sensitive actions
Input validation and length limits on all API payloads
Global middleware: forced HTTPS, known-scanner user-agent blocking
API keys read only from server-side environment variables
No inline eval, strict CSP script-src, no third-party trackers by default

Production checklist

Cloudflare (or similar) WAF + DDoS protection in front of the app
MFA / passkeys and RBAC via Auth.js, Clerk, or Keycloak
Durable, shared rate-limit store (Upstash Redis) for multi-instance deployments
Prompt-injection and jailbreak filtering layer before calling any model
Encrypted storage at rest, encrypted backups, key rotation
File upload malware scanning (ClamAV or a cloud AV API)
Regular third-party penetration testing and OWASP ASVS review
Dependency and container vulnerability scanning in CI/CD