Enterprise-Grade Security
Production-ready security hardening across 5 critical risk areas. Comprehensive testing validates protection against unauthorized access, data leaks, XSS, webhook spoofing, and DoS attacks.
Last updated: November 15, 2025 | Applies to the current Impact Radar backend and dashboard
Security Review Disclosure
Internal engineering security review – not an independent third-party audit.
No critical issues identified during internal review; further external security testing is planned before GA.
Access Control
User data is designed to be strictly isolated. User A cannot access User B's alerts, portfolios, or watchlists. Admin-only endpoints return 403 to unauthorized users.
Secrets Management
Secrets are stored in environment variables; we avoid hard-coding API keys. All API keys, JWT secrets, and credentials are environment-based. We avoid logging sensitive fields and redact them in structured logs.
XSS Protection
We render event data as plain text and do not use raw HTML rendering. React's automatic escaping prevents script injection attacks.
Webhook Security
Stripe webhooks validate cryptographic signatures before processing. Fake payment events cannot change subscription plans or issue API keys.
DoS Protection
Rate limiting on all endpoints: 5 registrations/min, 10 logins/min. WebSocket connections capped at 5 per user. API limits based on plan tier.
Password Security
bcrypt hashing with cost factor 12 and per-user salts. Minimum 8 characters with uppercase, lowercase, number, and special character requirements.
Session Management
JWT-based authentication with HTTP-only cookies. 24-hour session expiry with automatic logout. CSRF protection via session secrets.
Data Sovereignty
Your data is yours. We never sell or share user data with third parties. GDPR and CCPA compliant data handling.
Security Practices
- User data designed to be strictly isolated - verified by 12 access control tests
- Secrets stored in environment variables - automated detection scans repository
- PII redacted from logs where possible (email, phone, API keys, tokens)
- Event data rendered as plain text to prevent XSS attacks
- Stripe webhook signatures validated before processing payments
- Rate limiting: 5 registrations/min, 10 logins/min, plan-based API limits
- WebSocket connections: max 5 per user with 500-message buffer
- Event data sourced from official SEC, FDA, and company filings
- TLS encryption for all data in transit
- SQLAlchemy parameterized queries prevent SQL injection
- Regular security audits with 47+ comprehensive security tests
Security Audit Results
Access Control
PASSEDUser-scoped endpoints designed to enforce user_id isolation. Admin endpoints protected by require_admin dependency. No cross-user data leaks detected in testing.
Secrets Management
PASSEDNo hardcoded secrets found in repository scan. Secrets loaded from environment variables. API keys masked in responses (only last 4 chars shown).
XSS Protection
PASSEDNo instances of dangerouslySetInnerHTML found. React auto-escaping enforced. Malicious payloads rendered as plain text in testing.
Webhook Security
PASSEDStripe webhooks validate signatures before processing. Invalid signatures rejected with 400 error. Alert dispatch rate-limited to prevent spam.
DoS Protection
PASSEDComprehensive rate limits on all endpoints. Login: 10 attempts/min, Register: 5/min. Monthly API quotas: Pro (10k/month), Team (100k/month). WebSocket: max 5 connections per user.
OWASP Top 10 Compliance
Impact Radar addresses key OWASP Top 10 security risks with documented evidence and comprehensive test coverage:
Important Disclaimer
Impact Radar provides informational data only. This is not investment advice. No performance guarantees. Always verify with original filings and consult licensed financial advisors.
Last security audit: November 2025 | Next review: February 2026