Skip to main content

TekTree Security Architecture

Version: 1.0.0 Last Updated: 2025-12-16 Status: Foundation (Pre-Implementation)

Security Principles

  1. Zero Trust: Never trust, always verify
  2. Defense in Depth: Multiple layers of security
  3. Least Privilege: Minimum necessary access
  4. Secure by Default: Security is not opt-in
  5. Fail Securely: Failures deny access

Authentication

JWT (JSON Web Tokens)

Access Token:
  • Algorithm: RS256 (asymmetric)
  • Lifetime: 15 minutes
  • Storage: Memory (client-side)
  • Claims: user_id, tier, role, exp, iat
{
  "sub": "usr_abc123",
  "tier": "pro",
  "role": "user",
  "exp": 1702742400,
  "iat": 1702741500
}
Refresh Token:
  • Type: Opaque (random 256-bit)
  • Lifetime: 7 days (30 days with remember_me)
  • Storage: HTTP-only, Secure, SameSite=Strict cookie
  • Rotation: New refresh token on each use

Password Security

  • Hash: Bcrypt with cost factor 12
  • Requirements: Min 8 chars, 1 uppercase, 1 number, 1 special
  • Breach detection: Check against Have I Been Pwned API
  • Rate limiting: 5 attempts per 15 minutes

Authorization

RBAC (Role-Based Access Control)

Roles:
RolePermissions
userCreate content, vote, comment
moderatorHide/delete content, warn users
adminFull access, manage users

Tier-Based Access

TierFeature Access
FreeLimited quotas
ProEnhanced quotas, real-time
TeamTeam features, custom branding
EnterpriseUnlimited, SSO, white-label

Middleware Stack

Request → CORS → Auth → Rate Limit → Tier Check → Route Handler

API Security

Input Validation

  • JSON schema validation at API Gateway
  • Max request body: 10MB
  • XSS prevention: Sanitize HTML (bluemonday)
  • SQL/NoSQL injection: Parameterized queries only

Rate Limiting

Token bucket algorithm in Redis: 
INCR ratelimit:{user_id}:{endpoint}
EXPIRE ratelimit:{user_id}:{endpoint} 60

CORS

cors.AllowedOrigins: []string{"https://tektree.com"}
cors.AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "PATCH"}
cors.AllowedHeaders: []string{"Authorization", "Content-Type"}
cors.AllowCredentials: true

Data Protection

Encryption at Rest

  • MongoDB: AES-256 encryption
  • Redis: Encryption enabled
  • Backups: Encrypted with separate keys

Encryption in Transit

  • TLS 1.3 enforced
  • HSTS: max-age=31536000; includeSubDomains
  • Certificate: Let’s Encrypt with auto-renewal

PII Handling

  • Email addresses hashed for analytics
  • Passwords never logged
  • No PII in error messages or logs

Secret Management

  • All secrets in Railway environment variables
  • Separate secrets per environment (dev, staging, prod)
  • Secret rotation: 90 days for API keys
  • No secrets in code or version control

Compliance

GDPR

  • User consent for data collection
  • Data export API (JSON format)
  • Data deletion API (right to be forgotten)
  • Cookie consent banner
  • Privacy policy

PCI DSS

  • No card data stored in TekTree
  • All payments via Polar (PCI-compliant)
  • HTTPS enforced for payment flows

Security Testing

Automated

  • OWASP ZAP scans (weekly)
  • Dependency vulnerability scans (daily)
  • Secret scanning (GitHub)
  • Static analysis (go vet, gosec)

Manual

  • Penetration testing (quarterly)
  • Security code reviews (per PR)
  • Threat modeling (per major feature)

Incident Response

Process

  1. Detection (alerts, logs, reports)
  2. Containment (disable affected services)
  3. Investigation (root cause analysis)
  4. Remediation (patch, deploy)
  5. Communication (status page, email)
  6. Post-mortem (document lessons learned)

Contacts

Document Status: ✅ Complete Related Documents: NON_FUNCTIONAL_REQUIREMENTS.md, API_CONTRACTS.md