Hardened Security Infrastructure

• Qualys SSL Labs : Grade A + with verified TLS 1.3 implementation and perfect forward secrecy
• ImmuniWeb AI : Grade A + with PCI DSS 4.0.1 and NIST compliance
• Internet.nl : 96 % score confirming IPv6, DNSSEC, and RPKI compliance
• VirusTotal : 0 / 98 Clean across all 98 security vendors
• DNSSEC Debugger : Secure chain with cryptographic proof of domain authenticity

Our hybrid architecture combines Next.js 16(React 19) for server - side rendering with a hardened Express.js backend, PostgreSQL 16 + database, and TypeScript for type - safety across the entire stack.

• Nonce - Based CSP : Dynamic Content Security Policy using cryptographic nonces (crypto.randomBytes(16)) for script validation, preventing any unauthorized JavaScript execution and eliminating XSS attack vectors.
• Google reCAPTCHA v3: Invisible bot protection with score-based verification (minimum threshold 0.5) on all form submissions, blocking automated attacks while maintaining seamless UX for legitimate users.
• Enhanced XSS Protection: Multi-layer sanitization with HTML entity encoding, script tag stripping, and event handler removal. All user inputs are sanitized through sanitizeInput() function before storage and display.
• Row-Level Security (RLS): PostgreSQL tables protected with RLS policies on password_resets, login_logs, problem_test_cases, user_achievements, page_views, and view_logs, ensuring data isolation at the database level with granular access control.
• DDoS Shielding: Cloudflare WAF provides Layer 7 protection combined with intelligent rate-limiting middleware (express-rate-limit) that throttles abusive traffic signatures while keeping the API responsive for legitimate users.
• Bot Mitigation: Custom middleware blocks automated scrapers and malicious bots (curl, wget, python-requests, scrapy) while allowing legitimate search engine crawlers, protecting API endpoints from abuse.
• Zero-Trust Auth: Stateless JWT (JSON Web Tokens) with 1-day expiration combined with Bcrypt high-iteration password hashing (salt rounds optimized for security), ensuring credentials never touch the database in plain text.
• SQL Injection-Proof: All database interactions use parameterized queries via the pg driver with prepared statements, making injection attacks mathematically impossible. Continuous automated testing validates protection.
• Edge Protection: Cloudflare CDN and WAF block malicious traffic patterns before they reach our infrastructure, with automatic DDoS mitigation and geographic filtering.
• DNS Security: Full DNSSEC implementation on icpchue.com prevents DNS cache poisoning attacks, with CAA records restricting certificate issuance to authorized providers only.
• Judge0 Sandboxing: Our code execution engine runs on Judge0, a battle-tested sandboxed environment that isolates each submission in its own secure container with syscall filtering, preventing any malicious code from accessing the host system or network.
• Code Execution Isolation: Student code runs in fully isolated Docker (Alpine Linux) containers with --network none flag (zero internet access), --read-only filesystems for immutability, and strict CPU (1.0) and memory limits (<256MB) to prevent DoS attacks and resource exhaustion.
• TLS Enforcement: Locked to TLS 1.2+ and TLS 1.3 only with HSTS (HTTP Strict Transport Security, max-age 31536000, includeSubDomains, preload) forcing all connections through encrypted channels with perfect forward secrecy.
• Encryption at Rest: Sensitive PII is encrypted using AES-256 (CryptoJS) before storage, with secure key management.
• Input Sanitization: Multi-layer validation with strict type checking, length limits (name: 100 chars, email: 255 chars, ID: 7 digits), regex patterns, URL validation (sanitizeUrl() blocks javascript: URIs), and HTML entity encoding on both client and server sides to prevent injection attacks.
• Session Security: Automatic session expiry (1-day JWT lifetime), secure cookie flags (HttpOnly, Secure, SameSite=Strict), and CSRF token validation on all state-changing operations.
• CORS Hardening: Strict origin validation with explicit allowlist (icpchue.com only), preflight request handling, and credential-based requests properly scoped.
• Security Headers: Full Helmet.js implementation with X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy restrictions.
• Audit Trails: All sensitive operations (login attempts, code submissions, data modifications) are logged with user fingerprints, timestamps, IP addresses, and PII redaction for security review, compliance, and automated plagiarism auditing.
• PostgreSQL Hardening: Multi-layer database security with SSL/TLS encrypted connections, connection pooling with strict limits to prevent resource exhaustion, automated table initialization with RLS policies, persistent data volumes for durability, and regular automated backups with point-in-TIME recovery. Database runs in isolated Docker container with no external network access except through the backend API.
• Automated Security Testing: Continuous penetration testing suite (security-test.js) validates XSS protection, SQL injection prevention, CSRF tokens, authentication flows, path traversal attacks, and database security with comprehensive test coverage.

This audit was a thorough evaluation to ensure that all submissions, grades, and user data remain secure. The platform is designed to provide a high-performance educational environment while maintaining strict security protocols.