This document provides a quick reference for security features and best practices in Curriculum Curator.

• ✅ PBKDF2 password hashing (100k iterations)
• ✅ Secure session management
• ✅ Domain-restricted registration
• ✅ Email verification required
• ✅ Admin role separation

• ✅ Rate limiting (login & password reset)
• ✅ CSRF protection on all forms
• ✅ SQL injection prevention (parameterized queries)
• ✅ XSS protection via security headers
• ✅ Session fixation prevention

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'...
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

• ✅ Login attempt logging
• ✅ Security event tracking
• ✅ Failed authentication alerts
• ✅ Rate limit violation logging

• Change default admin password
• Set strong SESSION_SECRET in .env
• Configure HTTPS/SSL certificate
• Set up firewall rules
• Configure automated backups
• Review file permissions
• Enable monitoring/alerting
• Test rate limiting

• Use HTTPS only (redirect HTTP)
• Keep database outside web root
• Run application as non-root user
• Regular security updates
• Implement backup encryption
• Monitor disk space
• Set up log rotation

Users must create passwords that meet these criteria:

• Minimum 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• Not in common password list

• 5 attempts per email per 15 minutes
• 10 attempts per IP per 15 minutes
• 60-minute block after exceeding

• 3 requests per email per hour
• 5 requests per IP per hour
• Prevents email bombing

If you discover a security vulnerability:

1. DO NOT create a public GitHub issue
2. Email: [email protected]
3. Include:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We aim to respond within 48 hours and provide a fix within 7 days for critical issues.

For detailed information, see:

• ADR-0010: Security Hardening
• ADR-0011: Deployment Best Practices
• Authentication & Security Guide
• Production Deployment Guide

• Review security logs
• Check backup completion

• Review failed login attempts
• Update dependencies with security fixes

• Full security log audit
• Test backup restoration
• Review user permissions

• Security assessment
• Penetration testing (if applicable)
• Update security documentation

1. Use strong, unique passwords
2. Don't share your account
3. Log out when done (especially on shared computers)
4. Report suspicious activity to administrators
5. Keep your email secure (used for password reset)

If a security incident occurs:

1. Identify: Check logs, determine scope
2. Contain: Block attacker IP, disable affected accounts
3. Investigate: Preserve evidence, find root cause
4. Remediate: Fix vulnerability, reset passwords
5. Document: Record lessons learned
6. Communicate: Notify affected users if needed

Track these metrics:

• Failed login attempts per day
• Rate limit violations
• Password reset requests
• New user registrations
• Security incidents per month

Remember: Security is everyone's responsibility. Stay vigilant and report concerns promptly.