Security & Compliance
Security is a primary focus of the Tower Defense project. This document outlines our security policies, practices, and compliance standards.
1. Authentication
We use Better Auth v1 for secure identity management.
- Session Management: Secure cookies and token-based sessions.
- Password Policies: Enforced complexity and hashing (e.g., Argon2 or similar via Better Auth).
- Email Verification: Required for all new accounts to prevent spam and ensure data integrity.
- Account Protection: Multi-factor authentication (MFA) and account lockout mechanisms (if configured).
2. Data Protection
- Data-at-Rest: Database backups are encrypted.
- Data-in-Transit: All communication between the frontend, backend, and external services must use HTTPS/TLS.
- Database Access: The API uses Drizzle ORM with parameterized queries to prevent SQL injection attacks.
3. Account Actions
Sensitive actions (e.g., changing email or password) require additional verification:
- Email Change: Verification code sent to both the old and new email addresses.
- Password Reset: Secure, time-limited reset tokens sent via email.
4. Reporting Vulnerabilities
If you discover a security vulnerability, please report it privately to the maintainers. Do not open a public issue.
- Email: security@yourdomain.com
- Encryption: Use PGP for sensitive reports (if available).
5. Compliance
The project aims to be compliant with industry standards like GDPR (General Data Protection Regulation):
- Right to be Forgotten: Players can request the deletion of their accounts and associated data.
- Data Portability: Players can request an export of their data.
- Privacy by Design: We collect only the data necessary for the application to function.
important
Always follow best practices when working with user data and credentials. Never log sensitive information or commit secrets to the repository.