🔐ACTIVE
bcrypt Password Hashing
Staff PINs are run through bcrypt — a one-way cryptographic algorithm — before ever touching the database. The original PIN is never stored anywhere, making credential theft meaningless even in a worst-case scenario.
Protects: Staff credentials · Irreversible · Unique salt per PIN
🎫ACTIVE
JWT Session Authentication
Every staff session uses a cryptographically signed JSON Web Token that expires in 8 hours. Every single API endpoint requires a valid token — unauthenticated requests are rejected before they reach any data.
Protects: All API endpoints · Dashboard access · Auto-expiring sessions
🔒ACTIVE
Login Brute-Force Lockout
After 5 failed login attempts from a single IP address, that IP is locked out for 5 minutes. This completely defeats automated password-guessing attacks. Successful logins reset the counter instantly.
Protects: Staff accounts · Blocks credential stuffing · IP-based enforcement
✅ACTIVE
Twilio Cryptographic Webhook Verification
Every inbound SMS is verified using an HMAC-SHA1 signature from Twilio before any processing occurs. Requests without a valid signature are rejected instantly. It is cryptographically impossible to inject fake messages.
Protects: SMS webhook · Blocks spoofed messages · Cryptographic guarantee
⏱️ACTIVE
API Rate Limiting
Every endpoint enforces per-IP request caps — login at 5/min, alert sending at 10/min, all others at 60/min. Exceeding limits triggers a cooldown. This prevents spam, abuse, and denial-of-service attempts across the board.
Protects: All API endpoints · Prevents spam · Stops automated abuse
🛡️ACTIVE
Hardened Security Response Headers
Every server response includes a full set of security headers — blocking clickjacking, MIME sniffing, cross-site scripting, and referrer data leakage. These headers enforce safe browser behavior on every request.
Protects: Against browser attacks · Clickjacking · XSS · Content sniffing
🌐ACTIVE
CORS Origin Allowlist
The API only accepts requests from explicitly whitelisted origins. Only app.paws-alert.com and local development are permitted. Every other website attempting to call our API is blocked before the request is sent.
Protects: API from unauthorized websites · Cross-site request forgery
📋ACTIVE
Complete Audit Trail
Every significant action is logged with a timestamp and IP address — logins, staff changes, alerts sent. This creates an immutable paper trail for investigating anomalies and demonstrating compliance at any time.
Protects: Accountability · Non-repudiation · Incident investigation
🔑ACTIVE
Time-Limited Enrollment Join Codes
Student enrollment requires a unique 6-character alphanumeric code that expires every 7 days. Codes are distributed only to registered staff via SMS — ensuring only students with direct instructor authorization can join a section.
Protects: Section integrity · Enrollment gating · Instructor-controlled access
🧹ACTIVE
Input Sanitization & Validation
All incoming data — phone numbers, messages, names — is cleaned and validated before use. Phone numbers must match E.164 format exactly. Control characters are stripped and fields are length-capped, eliminating entire classes of injection attacks.
Protects: Database integrity · Blocks injection · Phone number enforcement
🗄️ACTIVE
AES-256 Encryption at Rest
Student phone numbers and personal data are encrypted using AES-256 before being written to the database. Even with direct database access, an attacker sees encrypted ciphertext — never real phone numbers or personal information.
Protects: Student PII · Phone numbers · Data at rest
🔏ACTIVE
HTTPS & TLS 1.3 Everywhere
All traffic between users and our servers is encrypted using TLS 1.3. SSL certificates are auto-provisioned and auto-renewed by Let's Encrypt across all domains. There is no unencrypted path to any part of the system.
Protects: All data in transit · Login credentials · Auto-renewing certificates
📱
Student Phone Numbers
Collected on enrollment via SMS opt-in
→ AES-256 encrypted at rest · TLS in transit
🔑
Staff Credentials
PINs used for SMS and dashboard auth
→ bcrypt hashed · Never stored plain
📋
Alert Message Content
All messages sent through the system
→ TLS encrypted in transit · Audit logged
🎓
Enrollment Records
Section membership and opt-in status
→ Join code gated · STOP processed instantly
🌐
API Keys & Secrets
Twilio, JWT secret, database credentials
→ Env vars only · Never in code · 90-day rotation
📝
Consent Records
Proof of opt-in per enrolled student
→ Inbound JOIN stored · Timestamped · CTIA compliant