Security
Security controls that are implemented
DueBid publishes only controls backed by the current frontend and BFF behavior. Certifications, uptime, or audit claims are not shown without approved evidence.
Effective date: June 25, 2026
Uploads are not public URLs
Customer uploads move through authenticated application routes and backend-controlled upload sessions. The browser is not given a public object-storage URL.
Evidence: Workspace upload manager and BFF routes use application APIs and safe upload-session responses without internal storage identifiers or provider-specific routing fields.
Secure report artifact delivery
Report downloads are requested through authenticated application routes and short-lived delivery grants. UI copy never exposes internal storage names, object keys, provider URLs, or scanner details.
Evidence: Delivery parser accepts only grant id, secret, and expiration; route tests reject provider/internal fields.
Browser security headers
Production HTML responses receive strict browser security headers, including frame protection, same-origin protections, request IDs, and controlled CSP behavior.
Evidence: src/proxy.ts and browser security tests enforce the browser-security boundary.
Authenticated workspace access
Dashboard routes require authenticated workspace access, and customer-facing BFF routes fail closed on missing sessions, denied workspace access, malformed backend data, or backend unavailability.
Evidence: Proxy dashboard auth gate, auth route handlers, workspace BFF tests, and access-control tests.
Account security controls
The account security UI supports password sessions, passkeys, TOTP MFA setup, recovery-code status, session visibility, and session revocation through backend-backed routes.
Evidence: Security center and account-security components use backend capability and session APIs.
Public production source maps are not served
The production build disables browser source maps and prunes public source-map files after build.
Evidence: next.config.mjs disables productionBrowserSourceMaps; scripts/build-and-prune.mjs runs scripts/prune-public-source-maps.mjs.
Safe outage surfaces
Error and outage surfaces show safe recovery guidance and request IDs without exposing protected readiness, infrastructure topology, internal storage names, scanner names, or backend internals.
Evidence: Global and locale error pages render safe request IDs; BFF route handlers return sanitized backend-unavailable envelopes.
Backup and restore commitments
Public backup and restore commitments require approved deployment input before publication.
Evidence: No approved public RPO, RTO, backup region, or restore-drill claim is checked into the frontend.
No public certifications claimed
No SOC 2, ISO 27001, penetration-test, insurance, SLA, uptime, or audit-certification claim is published unless approved evidence is supplied.
Evidence: Trust-content scan rejects fake certification and uptime language.