SmartPRO Docs ← Back to SmartPRO

Authentication & sessions

Multi-factor authentication (MFA)

Access control (RBAC) & tenant isolation

Audit logging

Abuse & rate-limiting

Endpoint-specific rate limits protect against brute-force and abuse, including tighter limits on authentication routes and signature-verified limits on inbound webhooks (payments, messaging).

Encryption

Layer Status
In transit Enforced. HTTPS with HSTS (1-year, includeSubDomains, preload); insecure requests upgraded.
Secrets at rest (MFA secrets, third-party OAuth tokens) Enforced. AES-256-GCM.
Employee PII at rest (salary, IBAN, civil ID, passport) Infrastructure-level. Not field-encrypted in the application today; protected by access control + read-time redaction and by database/host encryption at the hosting layer. Application-level field encryption for the most sensitive fields is a recommended roadmap item.

Do not claim field-level encryption of salary/IBAN/civil-ID in a customer or DPA context — it is not implemented in the application. State only transport encryption + access controls, and confirm database-at-rest encryption with your hosting provider.

Application security headers

Enforced in production: a strict Content-Security-Policy (no unsafe-eval, tight frame-src allow-list), X-Frame-Options: DENY (clickjacking protection), X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin. CORS is restricted to configured origins.

Secrets management

All secrets are supplied via environment variables (no hardcoded credentials). Production startup fails closed if critical secrets (database URL, signing key, encryption keys) are missing.

Responsible disclosure

Found a vulnerability? Email security@thesmartpro.io with details and reproduction steps. Please do not publicly disclose until we've had a reasonable window to remediate. (Confirm this mailbox is monitored before publishing.)