Security

Every request is signed with HMAC-SHA256 over METHOD\nPATH\nTIMESTAMP\nNONCE\nBODY_SHA256. The signature is verified server-side using subtle::ConstantTimeEq to prevent timing oracles.

Each request carries a UUID nonce. The server enforces canonical hyphenated UUID format and stores valid nonces in Redis with a 5-minute TTL. Replayed requests are rejected before any business logic runs.

Requests with a timestamp outside a ±5-minute window are rejected. Combined with the nonce, this bounds the replay window to the intersection of the two constraints.

Unauthenticated webhook endpoints are capped at DefaultBodyLimit::max(65_536) to prevent request-body DoS before signature verification runs.

Tokens are revoked on logout via SET fraise:revoked:{jti} 1 EX {ttl} in Redis. Every authenticated request checks EXISTS fraise:revoked:{jti} before proceeding. Falls back gracefully when Redis is unavailable.

The server accepts JWT_SECRET_PREVIOUS alongside the active secret. Tokens signed with the previous secret remain valid during rotation, preventing forced logouts.

Staff JWTs are signed with a separate STAFF_JWT_SECRET and carry business-scoped claims. A staff token cannot be used on customer endpoints, and vice versa.

Access tokens are stored in the iOS Keychain with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly and biometric protection (.biometryAny | .devicePasscode). Tokens cannot be extracted from a locked device.

PinningDelegate in APIClient.swiftvalidates the server's certificate against a bundled public key hash. Active before production deployment.

APNs device tokens are registered per-user and used only for silent loyalty-update pushes. No marketing or tracking payloads are sent.

All user-supplied data (customer name, reward description, error messages) is HTML-escaped before rendering in server-side HTML pages. No framework escaping is relied upon for values that pass through format!() strings.

Per-endpoint rate limits are enforced via Redis INCR + EXPIRE with fixed-window counters. The HTML stamp path uses an IP-keyed counter independent of the business ID, preventing business-targeted DoS.

QR tokens encode both user ID and business ID. A Lua script atomically validates business ownership and consumes the token in a single Redis round-trip, preventing cross-business token abuse without a race window.

Security-relevant events (cross-business stamp attempts, NFC probes, rate limit hits, staff logins) are written to a permanent audit log with full context before any rejection response is returned.

This site sets Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, and a Content-Security-Policy on every response. X-Powered-By is suppressed.