No immutable WORM storage; logs retained 90 days then rotated. | Control | Compliance (OWASP 2023 / NIST 800‑63B) | Findings | Risk Rating | |---------|---------------------------------------|----------|-------------| | Password storage | ✔ (bcrypt ≥ 10) | OK | Low | | Password policy | ✘ (no passphrase, no prohibited list) | Users may pick weak passwords | Medium | | MFA | ✔ (required for admin roles) | Optional for non‑admin, SMS OTP weak | Medium | | Transport security | ✔ (TLS 1.2+, HSTS) | OK | Low | | XSS/CSRF protection | ✔ (SameSite Strict cookies) not used – JWT in localStorage | Tokens exposed to XSS | High | | Session expiration | ✔ (30 min idle) | No absolute logout after password change | Medium | | Token revocation | ✘ (no blacklist) | Compromised JWT remains valid until expiry | High | | Brute‑force protection | ✘ (only IP‑based) | Credential stuffing possible | High | | Logging & alerting | ✘ (no real‑time alerts) | Anomalous logins may go unnoticed | Medium | | Secrets management | ✘ (env vars) | API keys and JWT secret in container env | High | | Compliance | ✔ GDPR (data‑subject rights) | No SOC 2/ISO 27001 for admin portal | Medium |
Prepared 13 April 2026 1. Executive Summary | Aspect | Current State | Strengths | Gaps / Risks | Recommendation | |--------|---------------|----------|--------------|----------------| | Authentication method | Username/Password + optional OTP (SMS/email) | Simple, widely understood | No password‑less, no adaptive MFA, OTP delivery can be intercepted | Implement WebAuthn/FIDO2 and adaptive risk‑based MFA | | Password policy | Minimum 8 characters, at least one digit/special char | Meets baseline OWASP | No password‑strength estimator, no prohibited‑password list, no password‑history enforcement | Adopt NIST‑SP 800‑63B guidelines (8‑12 char passphrases, password‑less options) | | Session management | JWT stored in localStorage, 30‑min inactivity timeout | Stateless, easy scaling | Vulnerable to XSS, token revocation not immediate | Move JWT to HttpOnly SameSite Strict cookies, add short‑lived access token + refresh token flow | | Rate‑limiting / brute‑force protection | Basic IP‑based throttling (5 attempts/5 min) | Mitigates simple attacks | No account‑level lockout, no captcha, no bot‑detection | Introduce progressive delays, captcha after 3 failures, device‑fingerprinting | | Logging & audit | Centralized log to ELK, logs login success/failure | Good visibility | No alerting on anomalous login patterns, logs not immutable | Enable immutable log storage (WORM) and SIEM alerts for geolocation anomalies | | Compliance | GDPR‑compliant, basic KYC for user accounts | Data‑subject rights respected | No SOC 2/ISO 27001 certification for BE admin portal | Pursue SOC 2 Type II audit for admin access | | User experience | Classic login page, “Remember me” toggle | Fast load (< 1 s) | No SSO integration, no social login, no password‑reset self‑service | Add SSO (SAML/OIDC) for enterprise admins, self‑service reset with secure token | | Infrastructure | Containerised (Docker) on Kubernetes (GKE), TLS 1.2+ | Scalable, automated deployment | No zero‑trust network segmentation, secret management via environment vars | Adopt secret manager (GCP Secret Manager), implement service‑mesh (Istio) zero‑trust policies | bithumen be login
Scalability is satisfactory; the main bottleneck would be under massive concurrent credential checks. Adding a read replica for auth queries can off‑load the primary. 9. Recommendations – Roadmap | Phase | Action | Owner | Effort (person‑days) | Target Completion | |-------|--------|-------|----------------------|-------------------| | 0 – Immediate | Migrate JWT storage to HttpOnly SameSite Strict cookies ; deprecate localStorage . | Front‑end & API teams | 10 | Q2 2026 | | 0 | Enable Content‑Security‑Policy (CSP) and Subresource Integrity to mitigate XSS. | Security team | 5 | Q2 2026 | | 1 – Short‑term (≤ 3 months) | Implement adaptive MFA (risk‑based, device fingerprint, geolocation). | Auth team | 15 | Q3 2026 | | 1 | Add per‑account lockout & CAPTCHA after No immutable WORM storage; logs retained 90 days