Our Approach to Security
Security isn't an afterthought at SocioPlex — it's embedded into every layer of the platform. From password hashing to webhook verification, we follow industry best practices to ensure your society's data remains protected.
Encrypted Credentials
Passwords hashed with bcrypt adaptive hashing. Never stored or transmitted in plaintext.
Defense in Depth
Multiple security layers: HTTP headers, CORS, rate limiting, input validation, and role-based access.
Audit Trail
Comprehensive logging of user actions, IP addresses, and system events for accountability.
Rate Limiting
Intelligent request throttling prevents abuse and ensures fair service for all users.
Authentication
Password Security
All passwords are hashed using bcrypt with 10 rounds of adaptive salting before storage. Bcrypt is a deliberately slow hashing algorithm designed to be resistant to brute-force attacks. We never store, log, or transmit passwords in plaintext. Passwords are never included in API responses.
JWT Token Authentication
After successful login, the server issues a JSON Web Token (JWT) with the following characteristics:
- Payload: Contains user ID, phone number, role, and society ID — no sensitive data like passwords
- Expiry: Tokens expire after 7 days, requiring re-authentication
- Signature: Tokens are cryptographically signed with a server-side secret key
- Transport: Transmitted via the Authorization: Bearer header (HTTP) and socket.auth.token (WebSocket)
Real-time Account Verification
On every authenticated request, the server re-validates the user against the database — not just the token. This ensures that blocked or deleted accounts lose access immediately, even if they hold a valid JWT.
Data Protection
At Rest
- Passwords: bcrypt-hashed (irreversible one-way hash)
- Database: MySQL/MariaDB with infrastructure-level encryption options depending on deployment
- No sensitive tokens or API keys are stored in the database — they are environment-variable only
In Transit
- All client-server communication is served over HTTPS/TLS in production deployments
- WebSocket connections (Socket.IO) run over the same TLS-secured connection
- Third-party API calls (DigitalOcean Gradient AI, WhatsApp Cloud API) use HTTPS with bearer token authentication
Input Sanitization
All incoming request data passes through a global validation pipeline that:
- Whitelists known fields and strips any unexpected properties (preventing mass assignment attacks)
- Validates data types, formats, and constraints using class-validator decorators
- Transforms input to expected types automatically
Network Security
HTTP Security Headers
SocioPlex uses Helmet.js to set comprehensive HTTP security headers on every response:
Content-Security-Policy
Prevents XSS attacks by controlling allowed content sources
X-Content-Type-Options
Prevents MIME type sniffing (nosniff)
X-Frame-Options
Prevents clickjacking by restricting iframe embedding
Strict-Transport-Security
Enforces HTTPS connections (HSTS)
Referrer-Policy
Controls what referrer information is sent with requests
X-XSS-Protection
Enables browser-level XSS filtering
CORS Policy
Cross-Origin Resource Sharing is restricted to the configured frontend origin only. Unauthorized origins cannot make API requests to the server.
Access Control
Role-Based Access Control (RBAC)
Every API endpoint is protected by a layered authorization system:
- Authentication Guard: Verifies the JWT token is valid and the user exists and is not blocked
- Role Guard: Checks the user's role (Resident, Committee Member, Admin) against the endpoint's required role
- Ownership Checks: Service-level logic ensures users can only access their own data (e.g., a resident can only see their own complaints and bookings)
Public Endpoints
Only the following endpoints are accessible without authentication:
- Login and Registration
- Society listing (for registration dropdown)
- Public chatbot
- Visitor pass verification (by pass code)
- WhatsApp webhook
All other endpoints require a valid JWT token.
API Security
Rate Limiting
All API endpoints are protected by IP-based rate limiting:
- Default limit: 30 requests per 60-second window per IP address
- Standard headers: RateLimit-* headers are returned so clients can track their remaining quota
- WebSocket exclusion: Real-time Socket.IO connections are excluded from HTTP rate limiting (they have their own connection-level controls)
Request Validation
Every request body is validated against a strict DTO (Data Transfer Object) schema before processing. Unknown fields are automatically stripped, and malformed requests are rejected with descriptive error messages.
Session Limits
Unauthenticated channels have built-in abuse prevention:
- Public web chatbot: 100 messages per anonymous session
- Unregistered WhatsApp numbers: 200 messages per session
Real-time (WebSocket) Security
Our Socket.IO implementation enforces security at the connection level:
- Token required: A valid JWT must be provided in socket.auth.token during the handshake. Connections without a valid token are immediately rejected.
- Blocked user detection: Blocked or deleted accounts are disconnected even if they hold a previously valid token.
- Room isolation: Residents are placed in society-specific rooms (society:{id}), ensuring they cannot receive messages from other societies.
WhatsApp Webhook Security
Incoming WhatsApp webhooks are verified using multiple mechanisms:
- HMAC-SHA256 signature verification: Every incoming webhook payload is verified against a cryptographic signature using the app secret. Requests with invalid signatures are rejected.
- Verify token handshake: The initial webhook registration uses a secret verify token to confirm ownership of the endpoint.
- Immediate acknowledgment: Webhooks are acknowledged with HTTP 200 immediately to prevent Meta from retrying, then processed asynchronously.
Monitoring & Auditing
Audit Logging
SocioPlex maintains an audit log infrastructure that tracks:
- User ID of the actor
- Action performed (e.g., create, update, delete, login)
- Entity type and ID affected
- Additional context details (JSON)
- IP address of the request origin
- Timestamp
Account Activity
Administrators can monitor:
- Active resident count and registration activity
- Complaint volume and resolution metrics
- AI message volume and usage patterns
- Booking activity and visitor pass usage
Infrastructure
SocioPlex is designed to run on standard server infrastructure with the following security considerations:
- Reverse proxy: Nginx handles TLS termination and acts as a security barrier between the internet and the application server
- Process management: PM2 ensures the application restarts automatically on failure, preventing prolonged downtime
- TLS certificates: Let's Encrypt provides free, auto-renewing SSL/TLS certificates for HTTPS
- Environment isolation: All secrets (JWT keys, API keys, database credentials) are stored as environment variables, never in source code or the database
Responsible Disclosure
We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please:
- Email us at security@socioplex.in with a detailed description of the vulnerability
- Include steps to reproduce the issue
- Allow us reasonable time to investigate and address the issue before public disclosure
- Do not access, modify, or delete data belonging to other users during your research
We commit to acknowledging your report within 48 hours and providing regular updates on our investigation and remediation progress.