Security
How the 747 platform protects your accounts, transactions, and data.
Authentication
Password Hashing
All user passwords are hashed with bcrypt before storage. Plaintext passwords are never stored or logged.
Session Management
Sessions are stored in Redis with a 24-hour TTL. Sessions are invalidated on logout and automatically expire after the TTL window.
Role-Based Access Control
The platform enforces three access roles. Each role has distinct permissions and can only access endpoints authorized for that role.
| Role | Access Level |
|---|---|
superadmin | Full platform administration, tenant management, system configuration |
owner | Tenant-scoped management: agents, loaders, payments, NexusPay settings |
loader | Transaction processing: approve/reject requests, shift management |
Rate Limiting
All sensitive endpoints are protected by rate limits to prevent brute-force attacks, abuse, and denial-of-service attempts.
| Endpoint | Limit | Window |
|---|---|---|
| Login (per IP) | 10 requests | 1 minute |
| Login (per account) | 5 requests | 15 minutes |
| Registration (per IP) | 3 requests | 1 hour |
| Request creation (per IP) | 5 requests | 1 minute |
| Request creation (per IP, sustained) | 30 requests | 1 hour |
| Request creation (per agent) | 60 requests | 1 hour |
| Payment creation (per IP) | 10 requests | 1 minute |
| Payment attempts (per request) | 3 attempts | 10 minutes |
Payment Security
Gateway Verification
Every payment is verified directly with the payment gateway before any chip transfer is executed. The system never relies on client-side confirmation alone.
Atomic Claims
Chip transfers use atomic SQL claims to prevent double-processing. A payment can only be claimed once, even under concurrent access.
SSRF Protection
Callback URLs provided by merchants are validated to prevent server-side request forgery. Private and internal network addresses are blocked.
Webhook Signatures
All outbound webhook payloads are signed with HMAC-SHA256 using the merchant's secret key, allowing recipients to verify authenticity.
Encryption
Bridge Password Encryption
Agent bridge passwords (used for panel automation) are encrypted at rest using AES-256-CBC with a server-side encryption key. Passwords are only decrypted in memory at the moment of use.
Username Uniqueness
Bridge usernames are enforced with a UNIQUE constraint at the database level, preventing duplicate agent connections and ensuring data integrity.
Signed Webhooks
All outbound webhooks are signed with HMAC-SHA256. The signature is included in the X-NexusPay-Signature header. See the Merchant API webhook section for verification code.
VAPT Summary
Vulnerability Assessment and Penetration Testing (VAPT) findings for the 747 platform. The following areas have been reviewed and hardened.
SQL Injection
All SQL queries use parameterized statements. No string concatenation is used in query construction. Verified across all database access layers.
Cross-Site Scripting (XSS)
React's built-in auto-escaping prevents XSS in all rendered content. No use of dangerouslySetInnerHTML with user-supplied data.
Command Injection
No shell execution of user-supplied input. All external process interactions use safe APIs with argument arrays, not shell strings.
File Upload Security
All file uploads are validated for MIME type and file size. Filenames are server-generated (UUIDs) to prevent path traversal and overwrite attacks.
Questions about security? Contact us at innovatehubph@gmail.com. See also: Merchant API | NexusPay