Security — HeartCo Starter
65 vulnerabilities eliminated.
Complete security audit: OWASP Top 10, IDOR, XSS, CSRF, injection, multi-tenant isolation. Every flaw identified, documented and resolved.
Categories of vulnerabilities fixed
8 attack vectors audited, 65 fixes applied.
IDOR
Resource isolation by organizationId in every Prisma query
XSS
Input sanitization, Content Security Policy, secure headers
Auth & Session
NextAuth v5, CSRF tokens, session rotation, secure cookies
SQL Injection
Parameterized Prisma ORM, zero unsanitized raw queries
RBAC & Permissions
Granular permission matrix, staffProcedure minimum
Multi-tenant
Prisma $extends with automatic organizationId filter
Crypto & HMAC
timingSafeEqual for webhooks, bcrypt for passwords
Rate Limiting
Fail-closed rate limiter in production, per route and per IP
Our security practices
Strict rules enforced on every line of code.
Every Prisma update/delete includes organizationId in the WHERE
findFirst (never findUnique) for organization-scoped resources
TRPCError everywhere (never throw new Error)
IDOR → NOT_FOUND (not FORBIDDEN) to avoid information leakage
Webhook HMAC with crypto.timingSafeEqual
Fail-closed rate limiting in production
Automated security tests (pnpm test:security)
Audited dependencies (npm audit, Snyk)
OWASP Top 10 coverage
10/10 categories covered. Zero blind spot.
Security is not a feature.
It's a prerequisite.