ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/bmad-core/data/security-patterns.md

2.3 KiB
Raw Blame History

Security Patterns and Best Practices

Authentication & Authorization

JWT Best Practices

  • Expiry: Access tokens 15-30 minutes, refresh tokens 7-30 days
  • Algorithm: Use RS256 for public/private key signing
  • Claims: Include minimal necessary data (user_id, roles, exp)
  • Storage: HttpOnly cookies for web, secure storage for mobile
  • Validation: Always verify signature, expiry, and issuer

OAuth 2.0 Implementation

  • PKCE: Required for all public clients (SPAs, mobile)
  • State Parameter: Prevent CSRF attacks
  • Scope Limitation: Request minimal necessary permissions
  • Redirect URI: Exact match validation, no wildcards

Data Protection

Encryption Standards

  • At Rest: AES-256-GCM for data, RSA-4096 for keys
  • In Transit: TLS 1.3 minimum, certificate pinning for mobile
  • Database: Column-level encryption for PII
  • Backups: Encrypted with separate key management

Input Validation

  • Sanitization: Use parameterized queries, escape HTML
  • File Uploads: MIME type validation, virus scanning, size limits
  • Rate Limiting: Per-IP, per-user, per-endpoint limits
  • Schema Validation: JSON Schema or similar for API inputs

API Security

Common Vulnerabilities

  1. Injection: SQL, NoSQL, Command, LDAP injection
  2. Broken Authentication: Weak passwords, exposed credentials
  3. Sensitive Data Exposure: Logs, error messages, debug info
  4. XML External Entities: XXE attacks in XML processing
  5. Broken Access Control: Privilege escalation, IDOR

Security Headers

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin

Monitoring & Incident Response

Security Logging

  • Authentication Events: Login attempts, failures, lockouts
  • Authorization: Access grants/denials, privilege changes
  • Data Access: PII access, export operations
  • System Changes: Configuration updates, user modifications

Threat Detection

  • Anomaly Detection: Unusual access patterns, location changes
  • Automated Response: Account lockout, IP blocking
  • Alert Thresholds: Failed login attempts, API rate violations
  • SIEM Integration: Centralized log analysis and correlation