Pen-test scaffold
OWASP ASVS L2 + safety mapping
A live checklist of what the next pen-test engagement (and our internal red team) should cover. Each row links to the spec under sql/ or src/lib/security.
Authentication
- Brute-force protection on email/password sign-in (Cloudflare Turnstile + rate limit)
- Session fixation: rotate Supabase tokens on privilege change
- Passkey enrolment + recovery flows (WebAuthn)
- MFA enforcement on payouts + automation publishing
Authorisation
- Every API route asserts auth.uid() ↔ profile_id
- Every public table has RLS = on with policies tested via pgTAP
- Cross-tenant data leak tests: insert as user A, attempt read/update/delete as B
- Storage buckets default-private; signed URLs only for owner
Input handling
- All free-text passes through moderation/check + sanitiser
- File uploads: mime + magic byte check + ClamAV scan (paid)
- URL inputs validated against https + allowlist for embeds
- Mini-app SDK methods reject unknown methods + enforce capability map
Crypto + secrets
- No service-role key in client bundle (CI grep test)
- All secrets pulled from env or Doppler at boot, never logged
- E2EE messaging: Signal-style key bundles, verify SAS codes
- VAPID key + Inworld key rotated quarterly
Abuse + safety
- CSAM hash-match (PhotoDNA) on every image upload (paid)
- Crisis keyword detector triggers panic surface, never blocks user
- Harassment classifier with shadowban + jury appeal
- Trust tier gates rate of new content + DMs