Security that matches the product.

Role-based access

API endpoints enforce roles with requireAuth and requireRole.

JWT authentication

Access tokens are verified on protected routes.

Password hashing

User passwords are hashed with bcrypt.

CSRF protection

State-changing requests use CSRF tokens and double-submit validation.

Rate limiting

Auth and API routes apply request throttling.

Input validation

Requests are validated and sanitized before persistence.

Audit logging

Admin activity logs are recorded and retrievable via API.