Security Configuration Reference

Quick reference for security-critical configuration settings in IDPFlare.

wrangler.toml Security Settings

# Recommended for SOC 2 / ISO 27001 compliance

[vars]
# --- Authentication (SOC 2 CC3.1.2) ---
PASSWORD_MIN_LENGTH = "12"                    # Min 12, recommend 14+
REQUIRE_EMAIL_VERIFICATION = "true"           # Required for enterprise
MFA_MODE = "required"                         # Required for SOC 2

# --- Session Management (SOC 2 CC3.1.2) ---
SESSION_DURATION_SECONDS = "28800"             # 8 hours (max working day)
REFRESH_TOKEN_DURATION_SECONDS = "604800"       # 7 days (max recommended)
ACCESS_TOKEN_DURATION_SECONDS = "3600"          # 1 hour (industry standard)
AUTH_CODE_DURATION_SECONDS = "600"             # 10 minutes (OAuth standard)

# --- Rate Limiting (SOC 2 CC3.1.2f) ---
RATE_LIMIT_LOGIN_ATTEMPTS = "5"                # Lock after 5 attempts
RATE_LIMIT_WINDOW_SECONDS = "900"              # 15 minute window

# --- Registration Control (ISO 8.2) ---
ALLOW_REGISTRATION = "false"                  # Closed registration

Secret Keys (wrangler secret put)

# Required secrets
JWT_PRIVATE_KEY     # RSA 2048+ bit private key
JWT_PUBLIC_KEY      # Matching public key
ENCRYPTION_KEY       # 32-byte hex (256-bit) for MFA secrets

# Email provider (choose one)
RESEND_API_KEY
MAILGUN_API_KEY      # + MAILGUN_DOMAIN in vars
SENDGRID_API_KEY
POSTMARK_API_KEY
AWS_SES_ACCESS_KEY   # + AWS_SES_SECRET_KEY, AWS_SES_REGION in vars

# Social login (if enabled)
GOOGLE_CLIENT_SECRET
FACEBOOK_APP_SECRET
GITHUB_CLIENT_SECRET
MICROSOFT_CLIENT_SECRET

# SAML (if enabled)
SAML_PRIVATE_KEY
SAML_CERTIFICATE

Database (D1) Critical Tables

Table Purpose Security Relevance
users User accounts Contains PII, credentials
user_sessions Active sessions Session hijacking prevention
audit_log Security events SOC 2 CC3.1.6h monitoring
oauth_clients OAuth applications Client secret management
api_keys Management API keys Administrative access
refresh_tokens Long-lived tokens Token revocation

KV Namespace Usage

Namespace Purpose Retention
SESSIONS User session data Per session TTL
RATE_LIMIT Login attempt tracking Per window TTL

Audit Log Events Reference

Authentication Events

'login_success'        // User successfully logged in
'login_failure'        // Authentication failed
'logout'              // User logged out
'register_success'     // New user created
'register_failure'     // Registration failed

Security Events

'password_reset_request'  // Password reset initiated
'mfa_verify_success'     // MFA code valid
'mfa_verify_failure'     // MFA code invalid
'account_locked'         // Account automatically locked
'rate_limit_exceeded'    // Rate limit triggered

Administrative Events

'admin_user_created'   // Admin created user
'admin_user_deleted'   // Admin deleted user
'admin_password_reset' // Admin reset password
'api_key_created'      // API key generated
'api_key_revoked'      // API key revoked

OAuth Events

'oauth_authorize'     // Authorization requested
'oauth_token_issued'   // Access token granted
'oauth_token_revoked'  // Token revoked

API Key Scopes Reference

// User management
'users:read'      // List and view users
'users:write'     // Create and update users
'users:delete'    // Delete users

// OAuth client management
'clients:read'    // List and view clients
'clients:write'   // Create and update clients
'clients:delete'  // Delete clients

// API key management
'api-keys:read'   // List API keys
'api-keys:write'  // Create API keys
'api-keys:delete' // Delete API keys

// Read-only operations
'audit:read'      // View audit logs
'stats:read'      // View statistics

Common Audit Queries

-- Failed login attempts by IP
SELECT ip_address, COUNT(*) as attempts
FROM audit_log
WHERE event_type = 'login_failure'
  AND created_at > ?  -- timestamp
GROUP BY ip_address
HAVING attempts > 5
ORDER BY attempts DESC;

-- Recent admin actions
SELECT * FROM audit_log
WHERE event_type LIKE 'admin_%'
ORDER BY created_at DESC
LIMIT 50;

-- User authentication history
SELECT event_type, event_status, ip_address,
       datetime(created_at/1000, 'unixepoch') as time
FROM audit_log
WHERE user_id = ?
ORDER BY created_at DESC;

-- Active sessions
SELECT * FROM user_sessions
WHERE is_active = 1 AND expires_at >
ORDER BY last_activity_at DESC;

Security Checklists

Pre-Deployment

  • ✔ Generate new RSA key pair for JWT
  • ✔ Generate 32-byte encryption key
  • ✔ Set MFA_MODE to "required"
  • ✔ Configure email provider
  • ✔ Set PASSWORD_MIN_LENGTH to 12+
  • ✔ Disable public registration (if enterprise)
  • ✔ Configure rate limits
  • ✔ Set appropriate token TTLs

Post-Deployment

  • ✔ Create initial admin user
  • ✔ Set up audit log export
  • ✔ Configure monitoring/alerting
  • ✔ Set up database backups
  • ✔ Document backup/restore procedures
  • ✔ Create incident response plan
  • ✔ Document access controls
  • ✔ Schedule quarterly access reviews

Ongoing (Quarterly)

  • ✔ Review admin access
  • ✔ Review API keys
  • ✔ Test backup restoration
  • ✔ Review and update policies
  • ✔ Conduct security training
  • ✔ Review audit logs
  • ✔ Update dependencies

Cryptographic Summary

Purpose Algorithm Key Size Location
JWT Signing RS256 2048-bit RSA JWT_PRIVATE_KEY secret
Password Hashing PBKDF2-SHA256 100,000 iterations users.password_hash
MFA Secret Storage AES-GCM 256-bit ENCRYPTION_KEY secret
Session IDs Random - crypto.randomUUID()
Authorization Codes Hashed - SHA-256
Refresh Tokens Hashed - SHA-256
Random Values CSPRNG - crypto.getRandomValues()
D1/KV at rest Platform 256-bit AES-GCM Cloudflare docs

Compliance Quick Reference

Requirement IDPFlare Feature Config
Unique user IDs users.id Automatic
MFA TOTP MFA_MODE="required"
Session timeout SESSION_DURATION_SECONDS 8 hours recommended
Failed login tracking audit_log Automatic
Account lockout RATE_LIMIT_* 5 attempts / 15 min
Audit logging audit_log table Automatic
Encryption in transit HTTPS Cloudflare managed
Encryption at rest Cloudflare D1/KV Automatic
Data deletion User deletion CASCADE in schema

Emergency Response Commands

Note on Token Revocation: Access tokens are stateless JWTs and cannot be directly revoked. They expire based on TTL (default: 1 hour). Use short TTLs for access tokens and revoke refresh tokens to prevent renewal. 
# Lock a user account
wrangler d1 execute DB --command="UPDATE users SET is_locked = 1 WHERE email = '[email protected]'"

# Revoke all user sessions
wrangler d1 execute DB --command="UPDATE user_sessions SET is_active = 0 WHERE user_id = 'user-id'"

# Revoke all refresh tokens for a user
wrangler d1 execute DB --command="UPDATE refresh_tokens SET is_revoked = 1, revoked_at = $(($(date +%s)*1000)) WHERE user_id = 'user-id'"

# View recent failed logins
wrangler d1 execute DB --command="SELECT * FROM audit_log WHERE event_type = 'login_failure' ORDER BY created_at DESC LIMIT 20"

# Export audit logs (last 24 hours)
wrangler d1 execute DB --command="SELECT * FROM audit_log WHERE created_at > $(($(date +%s)*1000 - 86400000)) ORDER BY created_at DESC" > audit-export.json

Important Files Reference

File Purpose
src/lib/security.ts Input validation, XSS/SSRF prevention
src/services/audit.service.ts Audit logging implementation
src/services/mfa.service.ts MFA/TOTP implementation
src/services/crypto.ts Cryptographic utilities
src/middleware/admin-auth.ts Admin authentication
migrations/0001_init.sql Database schema
wrangler.toml Configuration

Useful URLs

← Back to Compliance Overview