Security

Security controls that are implemented

DueBid publishes only controls backed by the current frontend and BFF behavior. Certifications, uptime, or audit claims are not shown without approved evidence.

Effective date: June 25, 2026

Verified technical controlUpload security

Uploads are not public URLs

Customer uploads move through authenticated application routes and backend-controlled upload sessions. The browser is not given a public object-storage URL.

Evidence: Workspace upload manager and BFF routes use application APIs and safe upload-session responses without internal storage identifiers or provider-specific routing fields.

Verified technical controlStorage and delivery

Secure report artifact delivery

Report downloads are requested through authenticated application routes and short-lived delivery grants. UI copy never exposes internal storage names, object keys, provider URLs, or scanner details.

Evidence: Delivery parser accepts only grant id, secret, and expiration; route tests reject provider/internal fields.

Verified technical controlSecurity controls

Browser security headers

Production HTML responses receive strict browser security headers, including frame protection, same-origin protections, request IDs, and controlled CSP behavior.

Evidence: src/proxy.ts and browser security tests enforce the browser-security boundary.

Verified technical controlAccess control

Authenticated workspace access

Dashboard routes require authenticated workspace access, and customer-facing BFF routes fail closed on missing sessions, denied workspace access, malformed backend data, or backend unavailability.

Evidence: Proxy dashboard auth gate, auth route handlers, workspace BFF tests, and access-control tests.

Verified technical controlAccount security

Account security controls

The account security UI supports password sessions, passkeys, TOTP MFA setup, recovery-code status, session visibility, and session revocation through backend-backed routes.

Evidence: Security center and account-security components use backend capability and session APIs.

Verified technical controlOperations

Public production source maps are not served

The production build disables browser source maps and prunes public source-map files after build.

Evidence: next.config.mjs disables productionBrowserSourceMaps; scripts/build-and-prune.mjs runs scripts/prune-public-source-maps.mjs.

Verified technical controlOperations

Safe outage surfaces

Error and outage surfaces show safe recovery guidance and request IDs without exposing protected readiness, infrastructure topology, internal storage names, scanner names, or backend internals.

Evidence: Global and locale error pages render safe request IDs; BFF route handlers return sanitized backend-unavailable envelopes.

Not configured for launchOperations

Backup and restore commitments

Public backup and restore commitments require approved deployment input before publication.

Evidence: No approved public RPO, RTO, backup region, or restore-drill claim is checked into the frontend.

Not configured for launchOperations

No public certifications claimed

No SOC 2, ISO 27001, penetration-test, insurance, SLA, uptime, or audit-certification claim is published unless approved evidence is supplied.

Evidence: Trust-content scan rejects fake certification and uptime language.