Roadmap
Phase 1: Security Hardening
Current phase — closing critical security gaps and establishing baselines.
Phase 1: Security Hardening
Status: In Progress | Target: Q1 2026
Phase 1 focuses on closing the critical and high-priority security gaps identified in the March 2026 security assessment.
Completed
- Auth middleware on all API endpoints
- JWT token authentication (24h expiration)
- Randomized invite codes (no defaults)
- Rate limiting (300/15min global, 10/15min auth)
- CORS restricted to allowed origins
- Security headers via Helmet
- WebSocket authentication required
- Audit logging for security events
- Per-user chat isolation
- Prompt injection defense
- PM2 process management
- Nginx blocks .git/.env paths
- TLS 1.2+ via nginx
- VAPI key server-side only
- File permissions (600) on sensitive files
- .env.backup removed
In Progress
- Close port 3000 externally (iptables)
- Remove localStorage JWT fallback
- Add CSRF protection
- Configure firewall rules
- Enable CloudWatch logging
Planned (This Phase)
- Implement automated daily backups to S3
- Enable SELinux enforcing mode
- Add health check endpoints
- Review and restrict endpoint access by role
- Remove hardcoded fallback codes
- Fix CSP unsafe-inline
Success Criteria
Phase 1 is complete when:
- No critical security issues remain open
- All high-priority issues have mitigation plans in progress
- Centralized logging is operational
- Backup and restore procedures are tested
- Firewall rules are configured and verified
Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Port 3000 exploitation | Medium | High | Close with iptables (in progress) |
| XSS token theft | Low | High | Remove localStorage fallback |
| CSRF attack | Low | Medium | Add CSRF tokens |
| Data loss | Low | Critical | Implement backups |