AC
← Portfolio/Psych-Skills/Security

Enterprise Security Architecture

Multi-Layer Security Model

The platform implements a comprehensive 5-layer security architecture designed for healthcare data protection, combining authentication, authorization, rate limiting, bot protection, and monitoring to safeguard sensitive client information.

🔐 Authentication & Authorization

Industry-standard authentication with NextAuth.js providing secure session management, role-based access control, and comprehensive password security measures.

Core Security Features

  • NextAuth.js Integration: Industry-standard OAuth provider with credentials authentication
  • Bcrypt Hashing: 12-round salted password hashing for secure credential storage
  • JWT Sessions: 24-hour expiry tokens with automatic refresh and secure storage
  • Role-Based Access: Owner and Admin roles with granular permission control
  • Server-Side Validation: Every protected route verifies session authentication

🛡️ Progressive Rate Limiting & IP Protection

Intelligent rate limiting system with progressive escalation to prevent brute-force attacks while maintaining usability for legitimate users.

Rate Limit Tiers

  • Tier 1: 5 failed attempts = 15-minute cooldown
  • Tier 2: 10 total attempts = 1-hour IP ban
  • Whitelist: Admin-configurable trusted IPs
  • Auto-Cleanup: Expired limits cleared automatically

IP Management

  • • Real-time tracking of login attempts
  • • Manual IP blocking / unblocking
  • • Permanent whitelist configuration
  • • Security dashboard monitoring

Math-Based CAPTCHA

Lightweight bot protection using simple arithmetic questions (addition/subtraction). No external dependencies or user tracking required. Tokens expire after 5 minutes.

🔑 Password Management & Recovery

Secure password reset workflow with token-based verification, time-limited access, and encrypted email delivery for account recovery.

Reset Flow Security

  • Crypto-Secure Tokens: 32-byte random tokens generated with Node.js crypto module
  • Time-Limited Access: Reset links expire after 1 hour for security
  • One-Time Use: Tokens are cleared after successful password reset
  • Email Verification: Reset links sent only to registered email addresses
  • Fallback Logging: Console output when SMTP not configured (dev mode)

🛠️ Additional Security Measures

Application Security

  • SQL Injection: Prisma parameterized queries
  • XSS Prevention: React automatic escaping + CSP
  • CSRF Protection: NextAuth built-in tokens
  • Secure Headers: Next.js security configuration
  • HTTPS Only: SSL/TLS enforced in production

Data Protection

  • Environment Variables: Secrets never committed
  • Database Backups: Built-in backup/restore scripts
  • GDPR Compliance: User data protection measures
  • Audit Logging: Security event tracking
  • Session Security: HttpOnly cookies

📊 Security Monitoring Dashboard

Real-time security monitoring interface providing visibility into authentication attempts, blocked IPs, rate limit status, and system security events.

Dashboard Capabilities

  • Blocked IP Monitoring: View all currently blocked addresses with ban duration
  • Login Attempt Tracking: Real-time activity feed with attempt counts per IP
  • Manual IP Management: Pre-emptive blocking and whitelist configuration
  • Rate Limit Statistics: See which IPs are approaching thresholds
  • Auto-Refresh: Dashboard updates every 30 seconds for live monitoring
← Back to Overview