Security Checklist

Mandatory

• BETTER_AUTH_SECRET is at least 32 random characters
• ADMIN_TOKEN is at least 16 random characters
• HTTPS is enforced for all public endpoints
• SAAS_TRUSTED_ORIGINS lists only known SaaS frontend domains
• Admin API is not exposed to the public internet (firewall or VPN)

Token Security

• Each SaaS backend verifies the JWT aud claim against its own audience
• SaaS backends fetch JWKS on startup and cache it (keys rotate infrequently)
• RS256 is used (not HS256), preventing key material exposure
• Token expiry is set per application via auth policy (default: 7 days)

OAuth Security

• PKCE is enforced for native/public clients
• Confidential clients require client_secret for token exchange
• Authorization codes are single-use and short-lived
• Redirect URIs are validated against registered whitelist

Webhook Security

• Inbound webhook signatures are verified (LS HMAC, Apple JWS)
• Outbound webhooks are signed with per-application secrets
• Webhook processing is idempotent (event IDs are deduplicated)

Data Protection

• Passwords are hashed with bcrypt (handled by Better Auth)
• Client secrets are hashed with SHA-256 before storage
• API keys are hashed with SHA-256 before storage
• Database backups are encrypted at rest

Rate Limiting (Phase 3)

• Rate limiting is configured on login endpoints to prevent brute force
• API key usage is rate-limited per application

Monitoring

• Structured logging is enabled (Pino)
• Failed login attempts are logged
• Webhook processing failures are logged and retried