Skip to main content

v0.3.0 — Security audit and dashboard improvements

A comprehensive 23-issue codebase security audit completed, with all findings remediated. Dashboard improved with error trend visualisation, tooltips added across all four portals, and a threshold-based alerting system introduced.

Security

A formal security audit identified 23 issues across the codebase. All findings have been resolved:

  • Hardcoded secrets removed — API keys and tokens that had been committed to the codebase replaced with environment variable references.
  • Cryptographic randomness — uses of Math.random() for security-sensitive operations replaced with crypto.getRandomValues(), the cryptographically secure browser API.
  • SVG sanitisation — user-uploaded SVG files are now sanitised before rendering to prevent XSS via SVG content.
  • Text sanitisation — user-supplied text rendered in the UI is sanitised to prevent cross-site scripting across all portal surfaces.
  • Environment validation — required environment variables are validated at startup. The application refuses to start if a required variable is missing or malformed, surfacing misconfiguration before it causes a runtime error.
  • Type safety — unsafe type assertions replaced with proper type guards throughout.
  • No localhost fallbacks in production — hardcoded localhost fallback URLs in environment detection removed. Production configuration is explicit.

Added

  • Error trend sparkline — the dashboard now shows a seven-day error trend sparkline alongside the error count metric. Operators and administrators can see at a glance whether errors are rising, falling, or stable.

  • Error severity classification — errors captured by the platform are classified as critical, high, medium, or low severity based on their type and source. High and critical errors trigger email alerts.

  • Threshold-based alerting — operators can configure alert thresholds on key metrics (error rates, certificate expiry proximity, supplier response rates). Alerts are delivered via the platform notification system and email.

  • Row-level security expanded — database-level access controls applied to seven additional tables, ensuring that cross-company data access is blocked at the database layer.

  • Tooltips across all portals — over 100 contextual help tooltips added across the Company, Supplier, Verifier, and public portals. Tooltips explain field requirements, regulatory references, and workflow steps in plain language.

  • Cron-based alert evaluation — the alerting system evaluates thresholds on a scheduled basis and creates alert records automatically when a threshold is breached.

  • Coming Soon pages — features planned for future releases (Phase 2) now show informative Coming Soon pages with regulatory context explaining why the feature is planned, rather than blank routes.