Owner: Engineering Team | Last Updated: 2026-01-30 | Status: Current
Security measures implemented across the WWAI platform.
| Category | Implementation | Details |
|---|---|---|
| XSS Prevention | DOMPurify 3.2.6 | Sanitizes all HTML content before rendering |
| CSRF Protection | NextAuth.js built-in | CSRF tokens on all mutations |
| Rate Limiting | Backend API | Limits on auth and feature endpoints |
| CAPTCHA | Cloudflare Turnstile | Bot protection on registration/login |
| Device Fingerprinting | FingerprintJS 4.6.2 | Identifies devices for fraud detection |
| IP Tracking | X-Forwarded-For header | Logs client IP for security audit trail |
| Password Security | Server-side hashing | Passwords hashed before storage (Django) |
| Data in Transit | HTTPS/TLS | All traffic encrypted |
| Authentication | JWT + OAuth 2.0 | See Auth Architecture |
| Session Management | JWT with expiry | 1-hour tokens with auto-refresh |
| Secret Type | Storage | Access |
|---|---|---|
| API Keys | Environment variables | ECS task definition |
| OAuth Secrets | Environment variables | Server-side only (not NEXT_PUBLIC) |
| JWT Secret | NEXTAUTH_SECRET |
Server-side only |
| Stripe Keys | Environment variables | STRIPE_KEY (server), NEXT_PUBLIC_STRIPE_KEY (client) |
| Internal Key | WALTER_INTERNAL_KEY |
Server-to-server auth only |
| Risk | Mitigation |
|---|---|
| Injection | Input validation, ORM queries (Django) |
| Broken Authentication | JWT + OAuth, rate limiting, CAPTCHA |
| Sensitive Data Exposure | HTTPS, server-side secrets, no client-side secrets |
| XSS | DOMPurify, React auto-escaping, CSP headers |
| Broken Access Control | Backend authorization checks, role-based access |
| Security Misconfiguration | Environment-specific configs, no debug in prod |
| CSRF | NextAuth CSRF tokens |
| Date | Author | Change |
|---|---|---|
| 2026-01-30 | Admin | Initial creation |
Prev: Service Map (C4 Level 2 - Container Diagram) | Next: Monitoring & Observability | Up: General