Skip to content

Security

Built-in security primitives

Last Price ships the primitives you would otherwise have to bolt on. Nothing exotic; the standards, applied per request.

  • Authentication

    JWT tokens (Authorization: Bearer …) and platform API keys (lp_…) with scopes (read · write · admin). JWTs carry tenant_id in the sub claim.

  • Encryption at rest

    AES-256-GCM for tenant secrets and provider credentials. Keys are derived per-tenant.

  • Rate limiting

    Per-tenant (after auth) and per-IP (in middleware) limiters. Public demo endpoint has its own per-IP cap of 30 calls / hour.

  • Webhook signatures

    HMAC-SHA256 over the raw request body. Verify the X-Signature header before trusting any payload.

  • Security headers

    Middleware sets X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, HSTS in production, and a restrictive Permissions-Policy.

  • Tenancy isolation

    Every request is scoped to a tenant_id resolved from auth. Workspace membership is checked O(1) via wsDb.getTeamMember.

Webhook verifier

Calls POST /api/public/webhook-verify, which uses the canonical verifyWebhookSignaturehelper.

Reporting a vulnerability

See SECURITY.md at the root of the repository for the disclosure process.