Skip to content

Security Overview

The UBU Finance backend implements a comprehensive security architecture designed to protect sensitive financial data and ensure secure operations. This document provides an overview of the security features implemented in the system.

Security Features

The following security features have been implemented:

Rate Limiting & Login Throttling

Rate limiting restricts the number of requests a client can make within a specific time window, preventing abuse and denial-of-service attacks. Login throttling specifically limits the number of login attempts to prevent brute force attacks.

Learn more about Rate Limiting

IP Whitelisting

IP whitelisting restricts access to the API to a predefined list of IP addresses, providing an additional layer of access control.

Learn more about IP Whitelisting

Account Lockout & Cool-Down

The account lockout mechanism locks user accounts after a configurable number of failed login attempts, protecting against brute force attacks.

Learn more about Account Lockout

Advanced Logout

Advanced logout features include token blacklisting to invalidate tokens on logout and token versioning to invalidate all existing tokens when needed.

Learn more about Advanced Logout

Adaptive Zero-Trust Engine

The Adaptive Zero-Trust Engine implements risk-based MFA prompts, real-time device posture checks, and geo-fencing per organizational unit to ensure that access is granted only to verified users on secure devices from authorized locations.

Learn more about Zero-Trust Engine

The Consent & Privacy Framework provides fine-grained consent tokens embedded in OAuth scopes, allowing users to control how their data is used and ensuring compliance with privacy regulations.

Learn more about Consent Framework

Monitoring, Logging & Alerting

Comprehensive monitoring, logging, and alerting systems provide real-time visibility into system health and security events, with support for email, Slack, and webhook notifications.

Learn more about Monitoring & Alerting

Security Architecture

The security features are implemented as middleware components that integrate with the FastAPI application. The middleware checks incoming requests against the security rules and rejects unauthorized requests.

graph TD
    A[Client Request] --> B[Security Middleware]
    B --> C{Security Checks}
    C -->|IP Whitelist| D[Check IP]
    C -->|Rate Limit| E[Check Rate]
    C -->|Token Validation| F[Check Token]
    C -->|Zero-Trust| K[Risk Assessment]
    C -->|Consent| L[Check Consent]
    D -->|Allowed| G[Continue]
    D -->|Denied| H[Reject]
    E -->|Within Limit| G
    E -->|Exceeded| H
    F -->|Valid| G
    F -->|Invalid| H
    K -->|Low Risk| G
    K -->|High Risk| M[Require MFA]
    M -->|MFA Success| G
    M -->|MFA Failed| H
    L -->|Granted| G
    L -->|Not Granted| H
    G --> I[Application Logic]
    H --> J[Return Error]

Configuration

Security features can be configured via environment variables or by modifying the app/config/security_config.py file.

Example environment variables:

# Rate Limiting
RATE_LIMIT_ENABLED=true
RATE_LIMIT_MAX_REQUESTS=100
RATE_LIMIT_WINDOW_SECONDS=60

# IP Whitelist
IP_WHITELIST_ENABLED=false
IP_WHITELIST=192.168.1.0/24,10.0.0.1
IP_WHITELIST_ALLOW_LOCALHOST=true

# Account Lockout
ACCOUNT_LOCKOUT_ENABLED=true
ACCOUNT_LOCKOUT_MAX_FAILED_ATTEMPTS=5
ACCOUNT_LOCKOUT_DURATION_SECONDS=1800

# Zero-Trust Engine
GEOIP_DB_PATH=data/GeoLite2-City.mmdb
ZERO_TRUST_ENABLED=true
MFA_REQUIRED_FOR_HIGH_VALUE=1000

# Alerting
ALERTING_ENABLED=true
SLACK_API_TOKEN=your-slack-token
SLACK_CHANNEL=#alerts

Security Best Practices

When using the UBU Finance backend, follow these security best practices:

  1. Use HTTPS: Always use HTTPS to encrypt data in transit.
  2. Secure API Keys: Store API keys securely and never expose them in client-side code.
  3. Implement Proper Authentication: Use the provided authentication mechanisms and never bypass them.
  4. Regular Updates: Keep the system updated with the latest security patches.
  5. Monitor Logs: Regularly review logs for suspicious activity.
  6. Principle of Least Privilege: Only grant the minimum permissions necessary for each user.
  7. Input Validation: Always validate user input to prevent injection attacks.
  8. Implement MFA: Use multi-factor authentication for sensitive operations.
  9. Respect User Consent: Always respect user privacy preferences and obtain proper consent for data usage.
  10. Device Security: Ensure devices accessing the system meet minimum security requirements.