Security & Compliance

Authentication

InCompass uses server-side session authentication. All API endpoints that modify data require an authenticated session. Passwords are hashed with bcrypt before storage.

Data Storage

Session data is stored as JSON files on the server filesystem under the database/ directory. Each session is isolated in its own directory. No external database is required.

Transport Security

• In production, all traffic is served over HTTPS via Nginx reverse proxy.
• Security headers (CSP, X-Frame-Options, HSTS) are set on all responses.
• CORS is disabled by default — the API only serves same-origin requests.

Audit Logging

All session modifications and authentication events are logged to an NDJSON audit trail. Audit events include: login/logout, session create/delete, stage save/submit, and admin actions.

OWASP Compliance

• Input validation and sanitization on all user-supplied data.
• Rate limiting on authentication endpoints.
• No SQL injection surface — all storage is file-based JSON.
• XSS protection via Content-Security-Policy headers and output encoding.
• Path traversal prevention in artifact filename handling.