Security Overview
Comprehensive security remediation implemented on 2026-02-18 covering 23 vulnerabilities (4 CRITICAL, 6 HIGH, 8 MEDIUM, 5 LOW).
Authentication Flow
Section titled “Authentication Flow”User visits site
→
Cloudflare Access
→
JWT issued
→
Middleware validates
JWT signature (RS256)
→
CSRF check
Origin header
→
Rate limit
Tiered
→
RBAC check
→
Endpoint access
User → CF Access → JWT → Middleware (RS256 + CSRF + Rate Limit) → RBAC → Endpoint
Data Sensitivity Levels
Section titled “Data Sensitivity Levels”| Level | Data Type | Access |
|---|---|---|
| Public | Static assets (HTML/CSS/JS) | All users |
| Authenticated | Dashboard summary, basic health | All authenticated users |
| Role-Based | RPi stats, UniFi data, operations | Admin + Operator |
| Admin-Only | User management, audit logs, secrets | Admin only |
| Physical Security | TUGA door access | Permission-specific (tuga:door*) |