This document maps each OWASP Top 10 (2021) vulnerability category to its implementation in the SolFoundry codebase.

Mitigation: All mutation endpoints require JWT authentication via get_current_user_id dependency. Role-based access tiers (anonymous, authenticated, admin) enforce different rate limits and permissions.

Code references:

• backend/app/api/auth.py — JWT token extraction and validation
• backend/app/auth.py — get_current_user_id dependency
• backend/app/middleware/rate_limiter.py — Tiered access control

Implementation details:

• Bearer token required for all state-changing operations
• Resource ownership checks via AuthenticatedUser.owns_resource()
• Session invalidation on security events (token theft detection)

Mitigation: All secrets via environment variables (never hardcoded). JWT tokens use HS256 with minimum 32-character secret keys. Refresh tokens are stored as SHA-256 hashes (never plaintext). HTTPS enforced via HSTS headers.

Code references:

• backend/app/services/config_validator.py — Secret validation and audit
• backend/app/services/auth_service.py — JWT token signing
• backend/app/services/auth_hardening.py — Token hash storage
• backend/app/middleware/security.py — HSTS enforcement
• backend/.env.example — Configuration template

Implementation details:

• validate_secrets() checks all required secrets at startup
• SensitiveDataFilter redacts secrets from log output
• audit_source_for_secrets() scans for hardcoded credentials

Mitigation: SQLAlchemy ORM with parameterized queries prevents SQL injection. Input sanitization middleware scans for SQL injection patterns as defense-in-depth. Pydantic validators enforce field constraints.

Code references:

• backend/app/database.py — SQLAlchemy async engine (parameterized queries)
• backend/app/middleware/sanitization.py — SQL injection pattern detection
• backend/app/models/bounty.py — Pydantic field validators

Implementation details:

• All database queries use SQLAlchemy select(), insert(), update() (never raw SQL)
• SQL_INJECTION_PATTERNS catches UNION SELECT, DROP TABLE, boolean-based blind, time-based blind
• Input fields have max_length, min_length, regex patterns via Pydantic

Mitigation: Security-by-design architecture with defense-in-depth layers. Escrow operations use transaction verification pipeline. Auth uses token rotation and session management.

Code references:

• backend/app/services/escrow_security.py — Multi-step verification pipeline
• backend/app/services/auth_hardening.py — Token rotation, session management
• docs/ESCROW_SECURITY.md — Threat model documentation

Implementation details:

• Escrow operations require: format validation → double-spend check → age verification → address validation → amount validation
• Refresh tokens rotate on each use with theft detection
• Brute force protection with exponential backoff

Mitigation: Security headers set on all responses. Default-deny Content-Security-Policy. Environment-based configuration with validation.

Code references:

• backend/app/middleware/security.py — Security headers middleware
• backend/app/services/config_validator.py — Configuration validation
• backend/.env.example — Documented configuration template

Implementation details:

• HSTS with preload, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• validate_secrets() detects placeholder values and weak configurations
• Server identification headers removed

Mitigation: Automated dependency scanning for Python (pip-audit) and Node.js (npm audit) with CI/CD integration.

Code references:

• scripts/audit_deps.py — Dependency vulnerability scanner
• backend/requirements.txt — Pinned Python dependencies
• frontend/package.json — Pinned Node.js dependencies

Implementation details:

• CI mode fails builds on critical/high vulnerabilities
• JSON report output for tracking over time
• Covers both direct and transitive dependencies

Mitigation: Brute force protection with exponential backoff lockout. Refresh token rotation with reuse detection. Session limits per user. Multi-factor auth via wallet signature.

Code references:

• backend/app/services/auth_hardening.py — BruteForceProtector, RefreshTokenStore, SessionManager
• backend/app/services/auth_service.py — JWT + wallet signature auth
• backend/app/api/auth.py — Auth endpoints

Implementation details:

• 5 failed attempts → 15-minute lockout (escalating to 24h max)
• Refresh token reuse triggers full session revocation (theft detection)
• Maximum 5 concurrent sessions per user
• Wallet authentication requires signing a server-generated nonce

Mitigation: GitHub webhook signature verification (HMAC-SHA256). Transaction signature verification for Solana operations. Dependency integrity via lock files.

Code references:

• backend/app/api/webhooks/github.py — HMAC signature verification
• backend/app/services/escrow_security.py — Transaction verification
• backend/app/services/webhook_service.py — Signature verification

Implementation details:

• Webhooks rejected if HMAC-SHA256 signature doesn't match
• Fail-closed: webhooks rejected when secret not configured
• package-lock.json and pinned requirements.txt ensure dependency integrity

Mitigation: Comprehensive security event logging. Sensitive data filtered from logs. Critical security events (double-spend, token theft) logged at CRITICAL level.

Code references:

• backend/app/services/config_validator.py — SensitiveDataFilter
• backend/app/services/auth_hardening.py — Brute force and session logging
• backend/app/services/escrow_security.py — Transaction security logging
• backend/app/middleware/rate_limiter.py — Rate limit violation logging

Implementation details:

• All security events include IP address, user agent, and identifiers
• JWT tokens redacted from logs as [REDACTED_JWT]
• Secret values redacted as [REDACTED]
• Double-spend attempts logged at CRITICAL with full context

Mitigation: Outbound HTTP requests limited to known endpoints (GitHub API, Solana RPC). URL validation on user-provided URLs enforces GitHub-only domains.

Code references:

• backend/app/services/auth_service.py — GitHub API calls (fixed URLs)
• backend/app/services/solana_client.py — Solana RPC (configured endpoint)
• backend/app/models/bounty.py — URL validation

Implementation details:

• pr_url and github_issue_url fields validate against https://github.com/ prefix
• Solana RPC URL configured via environment variable (not user-controlled)
• No arbitrary URL fetching from user input

                    ┌──────────────────────────────────────────────┐
                    │                  Client                      │
                    └──────────┬───────────────────────────────────┘
                               │ HTTPS (HSTS enforced)
                    ┌──────────▼───────────────────────────────────┐
                    │           Reverse Proxy / Load Balancer       │
                    │   (SSL termination, connection limits)        │
                    └──────────┬───────────────────────────────────┘
                               │
                    ┌──────────▼───────────────────────────────────┐
                    │        Security Headers Middleware            │
                    │   CSP, HSTS, X-Frame-Options, etc.           │
                    ├──────────────────────────────────────────────┤
                    │        Rate Limit Middleware                  │
                    │   Tiered: anon/auth/admin + per-endpoint     │
                    ├──────────────────────────────────────────────┤
                    │        Input Sanitization Middleware          │
                    │   XSS, SQL injection pattern detection        │
                    ├──────────────────────────────────────────────┤
                    │        CORS Middleware                        │
                    │   Origin whitelist, credential control        │
                    ├──────────────────────────────────────────────┤
                    │        FastAPI Application                    │
                    │   ┌─────────────┐  ┌──────────────────────┐ │
                    │   │ Auth Routes  │  │ API Routes           │ │
                    │   │ (JWT + wallet│  │ (bounties, payouts,  │ │
                    │   │  signature)  │  │  treasury, search)   │ │
                    │   └──────┬──────┘  └──────────┬───────────┘ │
                    │          │                     │              │
                    │   ┌──────▼──────────────────────▼───────────┐│
                    │   │         Service Layer                    ││
                    │   │  ┌─────────────┐ ┌───────────────────┐  ││
                    │   │  │ Auth        │ │ Escrow Security   │  ││
                    │   │  │ Hardening   │ │ (double-spend,    │  ││
                    │   │  │ (brute force│ │  signature verify, │  ││
                    │   │  │  token rot.)│ │  rate limit)       │  ││
                    │   │  └─────────────┘ └───────────────────┘  ││
                    │   └─────────────────────────────────────────┘│
                    │          │                                    │
                    │   ┌──────▼──────────────────────────────────┐│
                    │   │    PostgreSQL (parameterized queries)    ││
                    │   │    + Automated backups (pg_dump + PITR)  ││
                    │   └─────────────────────────────────────────┘│
                    └──────────────────────────────────────────────┘

Before deploying to production, verify:

• JWT_SECRET_KEY is a cryptographically random string (32+ chars)
• GITHUB_CLIENT_SECRET is set from GitHub OAuth app settings
• GITHUB_WEBHOOK_SECRET is set and matches GitHub webhook config
• DATABASE_URL points to production PostgreSQL (not SQLite)
• ENFORCE_HTTPS=true is set
• AUTH_ENABLED=true is set
• Rate limits are tuned for expected traffic
• Backup cron jobs are installed (python scripts/pg_backup.py cron)
• WAL archiving is configured for PITR (python scripts/pg_backup.py pitr)
• Dependency audit runs in CI (python scripts/audit_deps.py --ci)
• Log aggregation is configured to capture CRITICAL events