# Security Policy — DPP Bangladesh

## Reporting a vulnerability

Please report security issues to: **security@dppbangladesh.com**

Do NOT open a public GitHub issue. We aim to respond within 48 hours and resolve critical issues within 7 days.

PGP key: (publish at https://dppbangladesh.com/.well-known/pgp-key.txt)

## Scope

In scope:

- All `*.dppbangladesh.com` domains
- The Cloudflare Worker(s) under `*.workers.dev` belonging to this project
- Public DPP view pages

Out of scope:

- Third-party services (Cloudflare, Stripe, bKash, Telegram) — report directly to them
- Social-engineering against staff or factory users
- Physical attacks
- Denial of service from a single IP

## Hardening checklist (developer ref)

| Area | Requirement |
|---|---|
| Authentication | JWT (15 min access + 30 day refresh), Argon2id password hash, mandatory 2FA for admin |
| Sessions | HttpOnly + Secure + SameSite=Strict cookies for refresh; ID rotation on privilege change |
| Authorization | Role-checked on every endpoint; never trust `factoryId` from client |
| Transport | TLS 1.3 only; HSTS with preload; HTTP→HTTPS redirect at edge |
| Headers | CSP, X-Content-Type-Options, X-Frame-Options=DENY, Referrer-Policy, Permissions-Policy |
| Input | All user input validated server-side with Zod/Yup schema; HTML-escaped before any HTML interpolation |
| Output | Public DPP renders user-supplied data only via `textContent` or DOMPurify-sanitized HTML |
| Secrets | `wrangler secret put`; never in code, never in `.env` committed to VCS |
| Rate limit | 60 req/min/IP global; 5/15min on auth endpoints |
| File upload | MIME sniff + extension allowlist + ClamAV scan; randomized R2 key |
| Audit | Every write logged with user, IP, UA, action, before/after diff |
| Backups | D1 daily snapshot to R2; 30-day retention; tested quarterly |
| Dependencies | `npm audit` in CI; renovate-bot weekly; Snyk on PR |

## Critical security debt (pending)

1. Replace the demo auto-login fallback in `shared/utils.js` with real `/api/auth/*` integration before any public deploy
2. Move feature flags from `localStorage` (currently spoofable) to server-authoritative `/api/me/features`
3. Configure CSP via response headers (current meta-CSP is best-effort only)
4. Add Cloudflare Rate Limiting rules + bind KV `RATE_LIMIT` namespace to `telegram-worker`
5. Generate and store factory `HMAC_SECRET` on the worker, plus add signing in `shared/notify.js`
6. Schedule pen-test with HackerOne / Synack / Cobalt before any GA launch

## Compliance commitments

- ESPR Regulation (EU) 2024/1781 — Article 10 (DPP), Article 12 (data accuracy)
- GDPR — DPO appointed, RoPA maintained, 72h breach notice, DPIA before each new processing activity
- ISO 27001 — controls aligned (full certification roadmap is a separate document)
- Bangladesh DPDPA 2023 — local data subject rights honoured

## Disclosure policy

Coordinated disclosure. If we have not responded within 7 days, you may publicly disclose. We commit to crediting researchers in our hall of fame upon request.