All subdomains route through Cloudflare. DDoS mitigation, WAF rules, and bot challenge active at the edge. Origin server IP is not publicly exposed.

Every subdomain (api, app, n8n, prospector, stockbot, staging, review, and others) has an individual Let's Encrypt certificate via Certbot. HTTP redirects to HTTPS on all server blocks. Certificates auto-renew.

Fail2Ban monitors SSH auth logs and nginx error logs. Repeated auth failures trigger automatic IP banning. SSH runs on port 2222 (non-standard), key-only auth, root login disabled.

express-rate-limit enforces 100 requests per 15 minutes globally, and 10 requests per 15 minutes on all authentication endpoints (/api/reseller/login, /api/admin/login). Rate limits apply per real client IP via X-Real-IP forwarding from nginx — not the nginx proxy IP.

All protected routes require a Bearer JWT signed with a secret from environment variables. Tokens encode role (admin / reseller / client) and are verified on every request. No server-side session state.

Passwords stored using bcryptjs. Plaintext passwords are never stored or logged anywhere. Password reset uses time-limited signed tokens delivered via email.

All database queries use node-postgres with $1/$2 parameterisation throughout. No string interpolation in SQL. SQL injection is structurally prevented at the query layer.

Inbound webhooks (PayFast payments, internal bridge callbacks) are verified with HMAC-SHA256 signatures before any business logic runs. Invalid signatures return 401 immediately.

Express Helmet middleware sets Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and HSTS headers on all API responses.

Cross-Origin requests are restricted to an explicit origin whitelist. Unknown origins are rejected. Wildcard CORS is not used. White-label reseller domains are loaded from the database and refreshed every 5 minutes.

All services run under PM2 with memory limits and auto-restart policies. Crash loops are bounded. Services run as liidadmin or root where required — not as www-data with excessive permissions.

Database runs in an isolated Docker container (liiddigital-postgres). No external port binding — accessible only on localhost. Docker network isolation prevents lateral access from other services.

Automated PostgreSQL dump nightly at 02:00 SAST (7-day local retention at /opt/backups/). Offsite sync to Backblaze B2 bucket at 02:30 SAST via rclone (30-day retention). Backups tested periodically.

Uptime Kuma monitors all public services and sends Telegram alerts on downtime. Provides real-time status visibility and incident response lead time.