# Samity360 Security Notes

## Implemented controls

- PDO prepared statements with emulated prepares disabled
- Password hashing with `password_hash` / `password_verify`
- Session ID regeneration after login
- HTTP-only, configurable Secure and SameSite cookies
- CSRF checks for state-changing browser requests
- RBAC middleware on routes and APIs
- Feature entitlement middleware on routes and APIs
- Tenant-scoped queries and ownership checks
- Database transactions and row locks for financial posting
- File type and size validation using server-side MIME detection
- Stable company-scoped attachment directories for tenant-level file organization
- Login history and operational audit logs
- Soft deletion fields on major business records
- Restricted Developer settings and provider controls
- Security headers for framing, MIME sniffing, referrer, and browser permissions

## Required before public deployment

1. Complete an independent penetration test and code review.
2. Add rate limiting by account and IP for login, OTP, search, export, and notification endpoints.
3. Add account lockout using `login_history` and the database security settings.
4. Encrypt SMS, WhatsApp, SMTP, and API secrets with a key outside the database.
5. Serve uploads through an authorization controller or object storage with signed URLs.
6. Add antivirus scanning and image re-encoding for uploads.
7. Add queue workers with idempotency keys for messages and scheduled financial jobs.
8. Add database-level reconciliation tests and immutable journal policies.
9. Add OTP replay protection and provider delivery verification.
10. Configure centralized logs, alerts, backup encryption, and disaster-recovery drills.

## Financial correctness

The included operational accounting tables track cash, bank/MFS balances, collections, income, expenses, and closing. A regulated deployment should add a formally approved chart of accounts, double-entry journals, period locking, reversal-only corrections, and accountant-reviewed opening balances.