# Security Policy

## Overview

This project implements a layered security model with:

- Secure password hashing (bcrypt)
- Hashed verification and reset tokens (SHA-256)
- Role-based authorization
- Audit logging
- Environment-based email handling
- Configurable CORS

---

## Authentication

Passwords are hashed using bcrypt before storage.

Email verification is required before login.

Reset and verification tokens:
- Random 32+ bytes
- SHA-256 hashed before database storage
- Expiration enforced
- One-time use

---

## Authorization

Access control enforced via middleware:

- RequireAuth
- RequireAdmin

No authorization logic is implemented in templates.

---

## Session Security

- HttpOnly cookies
- SameSite=Lax
- Secure flag enabled in production
- Session key configured via environment variable

---

## Email Security

Develop mode:
- Emails are written to filesystem
- No external transmission

Production mode:
- SMTP authenticated delivery

---

## Audit Logging

The system logs:
- Signup
- Login
- Email verification
- Password reset
- Admin actions

Logs contain:
- UserID
- Action
- Entity
- EntityID
- IP
- UserAgent
- Timestamp