Skip to main content

Security

Cropr implements multiple layers of security to protect user data, assets, and platform integrity.

Authentication

Google OAuth 2.0

  • Primary authentication method using Google sign-in
  • ID tokens verified using google-auth-library
  • Secure session creation upon successful verification

JWT Tokens

  • JSON Web Tokens issued upon authentication
  • Payload includes session ID, user ID, and email
  • Tokens validated on every API request via Passport.js middleware
  • Bearer token scheme for API authorization

Session Management

  • Each session tracks user agent and IP address
  • Prevents unauthorized device access
  • Sessions can be invalidated server-side
  • Unique session IDs generated with randomUUID

API Security

Rate Limiting

  • 100 requests per 60 seconds per client
  • Powered by NestJS Throttler
  • Prevents abuse and denial-of-service attacks

HTTP Security Headers

Cropr uses Helmet to set secure HTTP headers:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY (anti-clickjacking)
  • X-XSS-Protection: 1; mode=block
  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)

CORS

  • Configurable allowed origins
  • Only whitelisted frontend domains can access the API

Request Tracking

  • Every request gets a unique X-Request-ID header
  • Used for distributed tracing and debugging

Data Security

Password Hashing

  • Admin passwords hashed with bcrypt
  • Salted hashes prevent rainbow table attacks

Two-Factor Authentication (2FA)

  • Admin accounts support TOTP-based 2FA
  • Powered by otplib
  • QR codes generated for authenticator app setup

Input Validation

  • All API inputs validated using class-validator decorators
  • DTO (Data Transfer Object) pattern enforces type safety
  • Environment variables validated with Joi schemas
  • Suspicious key patterns detected and blocked (__proto__, constructor, etc.)

Frontend Security

Content Security Policy

CSP headers restrict resource loading to trusted sources only, preventing:

  • Cross-site scripting (XSS)
  • Data injection attacks
  • Unauthorized resource loading

Anti-Clickjacking

  • X-Frame-Options prevents embedding in iframes
  • Protects against UI redirection attacks

Sensitive Input Protection

Password and API key fields are protected against:

  • Paste operations
  • Copy operations
  • Context menu access

Token Validation

  • JWT tokens validated for proper format before use
  • Expired tokens trigger re-authentication

Smart Contract Security

Transaction Safety

  • All transaction parameters validated before submission
  • Gas limits estimated with safety multipliers (1.2x)
  • Slippage protection on all swap operations
  • Approval amounts checked before execution

Non-Custodial Design

  • Cropr never holds user private keys
  • All transactions signed by the user's wallet
  • Smart contract interactions are direct (no proxy)

Infrastructure Security

HTTPS/SSL

  • All communications encrypted via TLS
  • SSL certificates managed for production deployments

Logging

  • Winston-based structured logging
  • Daily log rotation for audit trails
  • Error tracking with stack traces

Database Security

  • PostgreSQL with parameterized queries (Prisma)
  • No raw SQL — prevents SQL injection
  • Environment-based database credentials