-
Notifications
You must be signed in to change notification settings - Fork 1
Security
John Williams edited this page Mar 18, 2026
·
1 revision
Creative Asset Validator implements multiple security layers for enterprise deployment.
| Method | Implementation |
|---|---|
| Google SSO | Google Identity Services (GSI) with JWT validation |
| Session Management | AES-256-GCM encrypted sessions with PBKDF2 key derivation |
| Domain Enforcement | Configurable corporate domain requirements |
| Device Binding | Sessions tied to browser fingerprints |
| Session Timeout | 60-minute configurable timeout |
| Layer | Algorithm | Details |
|---|---|---|
| Session Encryption | AES-256-GCM | PBKDF2 with 100k iterations for key derivation |
| Anti-Tampering | HMAC-SHA256 | Signature verification on session data |
| API Key Storage | Encrypted localStorage | User credentials encrypted at rest |
| Role | Capabilities |
|---|---|
| Super Admin | All features, user management, shared keys, system settings |
| Domain Admin | Manage users within their domain |
| Editor | Upload, validate, resize, analyze, CRM write |
| Viewer | View assets, read-only CRM access |
- User-specific encrypted storage (IndexedDB + localStorage)
- Cross-tab sync via
storageevents only - No cross-user data leakage in shared environments
- 360-day audit trail
- Tracks: uploads, deletions, shares, API key changes, login/logout
- Exportable for compliance reporting
The security-production.js module enforces:
- HTTPS requirement
- Origin allowlist
- Console lockdown (prevents data scraping)
- DevTools detection
- Right-click / view-source disabled
- Auth gate before any app content renders
See the master plan (_docs/MASTER-PLAN.md) for a full security audit and remediation plan.
Key items:
- Credentials should be loaded from environment variables, not hardcoded
- API key encryption should use AES, not XOR
- CSP should be strengthened (remove
unsafe-inline/unsafe-eval) - Production config files should not be committed to source control