The platform uses a defense-in-depth approach, leveraging a custom Node.js server to intercept and filter traffic before it reaches the Next.js application layer.
The Security Shield (lib/security/shield.ts) acts as an application-level Web Application Firewall (WAF) running directly in the custom server (server.ts).
- Zero-Day Inspection: Inspects
http.IncomingMessagedirectly. - Bot Blocking:
- Blocks known malicious User-Agents (
sqlmap,nikto,python-requests). - Blocks malicious URL patterns (
.env,.git,wp-admin).
- Blocks known malicious User-Agents (
- Integrity Checks:
- Enforces
X-App-Integrityheader for sensitive actions. - Validates signed tokens to prevent replay attacks and unauthorized API usage.
- Enforces
For sensitive user interactions (e.g., Playing the Lucky Roll), the system generates Action Tokens (lib/security/action-token.ts).
- Algorithm: AES-256-GCM.
- Payload: Contains User ID, Context (Pathname), Timestamp, and a Unique Nonce.
- Validation: Tokens must be recent and validly signed to be accepted by server actions. This prevents Cross-Site Request Forgery (CSRF) and replay attacks.
The application runs on a custom server.ts entry point which enables:
- Socket.io Integration:
- Presence: Tracks online users in real-time (
presence:update). - Broadcasts: Security Lockdowns (
system:lockdown) and Jackpots (jackpot) are pushed instantly to all clients.
- Presence: Tracks online users in real-time (
- Request Interception: The Shield runs here, dropping malicious connections instantly without spinning up the heavy Next.js rendering engine.