Security Technical Details
This page provides technical details about the security measures implemented in eSolia Periodic.
Authentication
Password Hashing
| Parameter | Value |
|---|---|
| Algorithm | PBKDF2-SHA512 |
| Iterations | 600,000 (OWASP 2024) |
| Salt Length | 128 bits (16 bytes) |
| Output Length | 512 bits (64 bytes) |
Password Requirements: Minimum 12 characters with at least one uppercase, lowercase, number, and special character.
Multi-Factor Authentication (MFA)
| Feature | Implementation |
|---|---|
| Method | TOTP (RFC 6238) |
| Time Step | 30 seconds |
| Code Length | 6 digits |
| Backup Codes | 10 codes (12 chars each, single-use) |
Magic Link Authentication
| Parameter | Value |
|---|---|
| Token Length | 256 bits (32 bytes) |
| Expiration | 15 minutes |
| Usage | Single-use |
Session Management
Cookie Security
session_id={token}; Path=/; Max-Age={seconds}; Secure; SameSite=Lax; HttpOnly| Flag | Purpose |
|---|---|
Secure | HTTPS only transmission |
HttpOnly | Prevents JavaScript access |
SameSite=Lax | CSRF protection |
HTTP Security Headers
| Header | Value |
|---|---|
X-Frame-Options | SAMEORIGIN |
X-Content-Type-Options | nosniff |
X-XSS-Protection | 1; mode=block |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | camera=(), microphone=(), ... |
Content Security Policy
default-src 'self';
script-src 'self' 'unsafe-inline' https://unpkg.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net;
font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net;
img-src 'self' data: https:;
connect-src 'self';
frame-ancestors 'self';
form-action 'self';
base-uri 'self';Data Storage
Deno KV
- Encryption at rest (provided by Deno Deploy platform)
- Per-deployment data isolation
- Automatic TTL expiration for sessions, tokens, rate limits
OWASP Top 10 Mitigations
Broken Access Control
Role-based access control (admin/client), per-client data isolation, session validation
Cryptographic Failures
HTTPS required, PBKDF2-SHA512 password hashing (600k iterations), encryption at rest (D1/KV)
Injection
Parameterized queries (KV), input validation, HTML-escaped output
Insecure Design
Defense in depth, security-first architecture, threat modeling
Security Misconfiguration
Security headers (CSP, X-Frame-Options, etc.), secure defaults
Vulnerable Components
Deno dependency auditing, minimal external deps, regular updates
Authentication Failures
MFA/TOTP, magic links, password policy, rate limiting
Data Integrity Failures
Signed deployments (Deno Deploy), CI/CD integrity checks
Logging Failures
Security event logging, audit trails, anomaly detection
SSRF
External request validation, allowlist-based DNS queries