Security Audit Checklist¶

Version: 1.0
Date: January 18, 2026
Status: Active

This checklist is used to verify the security posture of Forma3D.Connect before major releases and during quarterly security reviews.

Pre-Audit Preparation¶

Access Aikido Security Dashboard
Review Sentry for security-related errors
Collect current dependency list (pnpm list --depth=0)
Review recent commits for security-sensitive changes

1. Aikido Security Platform Integration¶

Verification Steps¶

SAST Scanning Active: Static Application Security Testing is enabled
Dependency Monitoring Active: OSS dependencies are being scanned
Secrets Detection Active: Scanning for hardcoded secrets
SBOM Generation Enabled: Software Bill of Materials is being generated
Weekly Scan Schedule: Automated scans running on schedule

Dashboard Review¶

Check	Status	Notes
No critical vulnerabilities	☐ Pass / ☐ Fail
No high severity issues > 30 days old	☐ Pass / ☐ Fail
No exposed secrets detected	☐ Pass / ☐ Fail
SBOM up to date	☐ Pass / ☐ Fail

Access Verification¶

Security dashboard URL documented and accessible
Appropriate team members have access
Alerts are being sent to correct channels

2. Authentication & Authorization¶

API Authentication¶

Check	Status	Notes
API key authentication implemented	☐ Pass / ☐ Fail	`X-API-Key` header
API key stored securely (not in code)	☐ Pass / ☐ Fail	Environment variable
API key rotation procedure documented	☐ Pass / ☐ Fail	See keys inventory

Webhook Security¶

Check	Status	Notes
Shopify HMAC verification implemented	☐ Pass / ☐ Fail	`shopify-webhook.guard.ts`
SimplyPrint token verification	☐ Pass / ☐ Fail	`simplyprint-webhook.guard.ts`
Raw body available for signature verification	☐ Pass / ☐ Fail	`rawBody: true` in main.ts
Webhook idempotency implemented	☐ Pass / ☐ Fail	Prevents replay attacks

Authorization¶

Check	Status	Notes
Admin endpoints protected	☐ Pass / ☐ Fail	API key required
Role-based access if applicable	☐ Pass / ☐ Fail

3. Data Protection¶

Sensitive Data Handling¶

Check	Status	Notes
No API keys in logs	☐ Pass / ☐ Fail	Review log output
No customer PII in logs	☐ Pass / ☐ Fail	Email, address not logged
No sensitive data in error messages	☐ Pass / ☐ Fail	Check Sentry captures
Secrets not in version control	☐ Pass / ☐ Fail	Check for `.env` files

Database Security¶

Check	Status	Notes
Database connection uses SSL	☐ Pass / ☐ Fail	Verify `?sslmode=require`
Database credentials rotated	☐ Pass / ☐ Fail	Check last rotation date
No raw SQL queries (Prisma ORM used)	☐ Pass / ☐ Fail	Prevents SQL injection

4. Input Validation¶

DTO Validation¶

Check	Status	Notes
All endpoints use DTOs	☐ Pass / ☐ Fail	class-validator decorators
ValidationPipe enabled globally	☐ Pass / ☐ Fail	`main.ts` configuration
Whitelist enabled (forbids unknown props)	☐ Pass / ☐ Fail	`whitelist: true`
Transform enabled for type coercion	☐ Pass / ☐ Fail	`transform: true`

Query Parameter Validation¶

Check	Status	Notes
Pagination limits enforced	☐ Pass / ☐ Fail	Max page size
Search/filter inputs validated	☐ Pass / ☐ Fail

5. Dependencies¶

Vulnerability Scan¶

Check	Status	Notes
No critical vulnerabilities	☐ Pass / ☐ Fail	`pnpm audit`
No high vulnerabilities > 30 days	☐ Pass / ☐ Fail
Dependencies up to date	☐ Pass / ☐ Fail	`pnpm outdated`
Lock file committed	☐ Pass / ☐ Fail	`pnpm-lock.yaml`

Manual Audit Commands¶

# Check for known vulnerabilities
pnpm audit

# Check for outdated packages
pnpm outdated

# List all dependencies
pnpm list --depth=0

6. Infrastructure Security¶

TLS/HTTPS¶

Check	Status	Notes
HTTPS enforced	☐ Pass / ☐ Fail	HTTP redirects to HTTPS
TLS 1.2+ only	☐ Pass / ☐ Fail
Valid certificate	☐ Pass / ☐ Fail	Check expiry
HSTS enabled	☐ Pass / ☐ Fail	Helmet configuration

Security Headers¶

Check	Status	Notes
Helmet middleware enabled	☐ Pass / ☐ Fail	`main.ts`
Content-Security-Policy set	☐ Pass / ☐ Fail
X-Content-Type-Options: nosniff	☐ Pass / ☐ Fail
X-Frame-Options: DENY	☐ Pass / ☐ Fail
Referrer-Policy configured	☐ Pass / ☐ Fail

Verify Security Headers¶

# Check response headers
curl -I https://connect-api.forma3d.be/health

# Expected headers:
# content-security-policy: ...
# strict-transport-security: max-age=31536000; includeSubDomains; preload
# x-content-type-options: nosniff
# x-frame-options: DENY
# referrer-policy: strict-origin-when-cross-origin

CORS Configuration¶

Check	Status	Notes
CORS enabled with specific origins	☐ Pass / ☐ Fail	Not `*`
Credentials allowed appropriately	☐ Pass / ☐ Fail

7. Rate Limiting¶

Check	Status	Notes
Rate limiting enabled	☐ Pass / ☐ Fail	`@nestjs/throttler`
Appropriate limits for APIs	☐ Pass / ☐ Fail	Default: 100/min
Webhook endpoints have separate limits	☐ Pass / ☐ Fail	Higher for bursts
Health endpoints excluded	☐ Pass / ☐ Fail	`@SkipThrottle()`

8. Logging & Monitoring¶

Security Logging¶

Check	Status	Notes
Authentication failures logged	☐ Pass / ☐ Fail
Webhook verification failures logged	☐ Pass / ☐ Fail
Rate limit hits logged	☐ Pass / ☐ Fail
Logs include correlation IDs	☐ Pass / ☐ Fail	Request tracing

Error Tracking¶

Check	Status	Notes
Sentry integration active	☐ Pass / ☐ Fail
Sensitive data scrubbed from Sentry	☐ Pass / ☐ Fail
Alert thresholds configured	☐ Pass / ☐ Fail

9. Container & Deployment Security¶

Docker Security¶

Check	Status	Notes
Non-root user in container	☐ Pass / ☐ Fail	Check Dockerfile USER
Minimal base image	☐ Pass / ☐ Fail	node:20-alpine
No secrets in image	☐ Pass / ☐ Fail	Passed via env vars
Image signing (Cosign)	☐ Pass / ☐ Fail	Attestations enabled

Environment Variables¶

Check	Status	Notes
Secrets passed via env vars	☐ Pass / ☐ Fail	Not in Dockerfile
Production .env not in repo	☐ Pass / ☐ Fail	Check .gitignore
Azure DevOps secrets configured	☐ Pass / ☐ Fail	Variable groups

10. Code Security¶

Static Analysis¶

Check	Status	Notes
No `any` types	☐ Pass / ☐ Fail	ESLint rule
No `ts-ignore`	☐ Pass / ☐ Fail	ESLint rule
No `eslint-disable` for security rules	☐ Pass / ☐ Fail
No console.log in production	☐ Pass / ☐ Fail	Use Pino logger

Secure Coding Patterns¶

Check	Status	Notes
Error messages don't leak internals	☐ Pass / ☐ Fail
Async errors properly caught	☐ Pass / ☐ Fail
No eval() or dynamic code execution	☐ Pass / ☐ Fail

Post-Audit Actions¶

If Issues Found¶

Create issues in Azure DevOps for each finding
Assign severity and priority
Set target resolution date
Critical issues: fix before release
High issues: fix within 30 days
Medium/Low: add to backlog

Documentation¶

Update this checklist with findings
Document any exceptions with justification
Record audit date and auditor

Audit Log¶

Date	Auditor	Result	Notes
2026-01-18	Phase 6 Implementation	Initial	Baseline checklist created

Quick Security Commands¶

# Run all security checks
pnpm audit                           # Dependency vulnerabilities
pnpm lint                            # Code quality/security rules
pnpm test                            # Ensure tests pass

# Verify security headers
curl -I https://connect-api.forma3d.be/health

# Check TLS certificate
echo | openssl s_client -connect connect-api.forma3d.be:443 2>/dev/null | openssl x509 -noout -dates -subject

# Test rate limiting
for i in {1..120}; do curl -s -o /dev/null -w "%{http_code}\n" https://connect-api.forma3d.be/health; done

Revision History:

Version	Date	Author	Changes
1.0	2026-01-18	Phase 6 Implementation	Initial checklist