Skip to main content

Security Overview

HackPortal uses standard production patterns for auth and request safety.

  • Authentication — JWT in httpOnly cookies; register, login, logout, and /auth/me for session.
  • Authorization — Role-based access (RBAC) with permissions; hierarchical roles (dev > admin > staff).
  • CSRF — Token-based protection for state-changing requests; cookie domain handled for single-label hostnames.
  • CORSCORS_ORIGIN must match the frontend URL exactly.
  • Rate limiting — Applied on API endpoints.
  • Security headers — Helmet.js (e.g. X-Frame-Options, HSTS in production).

Secrets (JWT, CSRF, DB) live in env files only; .env.prod is gitignored.

Related: Authentication, CSRF and CORS, Secrets and env