Security Audit Report
Scope: Backend (Go), Frontend (Next.js), Customer App (Flutter), Shopkeeper App (Flutter/Windows)
Last Updated: February 2026
Risk Level: 🟢 LOW — Backend, frontend, and mobile apps hardened; session timeout and 2FA pending.
Executive Summary​
Qprint uses solid practices (parameterized queries, bcrypt, JWT). Backend and frontend critical fixes are implemented (January 2026). Backend: JWT validation, CORS, rate limiting, file upload security, security headers, password reset tokens, webhook verification, auth cookie, CSRF. Frontend: httpOnly cookie auth, CSRF protection, security headers, generic error messages.
Production-ready when JWT_SECRET (32+ chars), ALLOWED_ORIGINS, and ENVIRONMENT=production are set. See Deployment and Environment Variables.
Status at a Glance​
Backend ✅​
| Item | Status |
|---|---|
| JWT secret validation (32+ chars, fail fast) | ✅ Done |
| CORS (no wildcard; ALLOWED_ORIGINS required) | ✅ Done |
| Rate limiting (auth endpoints, 50/15 min per IP) | ✅ Done |
| Request body limit (1MB for auth JSON) | ✅ Done |
| Error disclosure removed | ✅ Done |
| File upload security (MIME + magic bytes + sanitization) | ✅ Done |
| Password reset tokens (hashed, 30 min, invalidate on reset) | ✅ Done |
| Security headers (HSTS, X-Content-Type-Options, etc.) | ✅ Done |
| Webhook (fail-fast if secret empty; no raw payload in logs) | ✅ Done |
| Test mode disabled in production | ✅ Done |
| Account enumeration removed on register | ✅ Done |
| Auth cookie + CSRF (Bearer-only exemption for API clients) | ✅ Done |
| Admin IP whitelist (optional ALLOWED_ADMIN_IPS) | ✅ Done |
| Admin audit logging | ✅ Done |
| Account deletion (password confirmed, data cleanup) | ✅ Done |
| GDPR "Delete data" page (GET /delete-data) | ✅ Done — public page for Play Store requirement |
| ShopkeeperActivity middleware (X-Platform: web) | ✅ Done — updates last_web_activity_at for shop auto-close |
Frontend Web ✅​
| Item | Status |
|---|---|
| Token in httpOnly cookie (HTTPS) | ✅ Done |
| CSRF protection (X-CSRF-Token header) | ✅ Done |
| Security headers | ✅ Done |
| Error disclosure removed (safeError.ts) | ✅ Done |
| Minimal CSP | ✅ Done |
| Logout clears cookie | ✅ Done |
| Delete account (password modal, clears local data) | ✅ Done |
Customer App ✅​
| Item | Status |
|---|---|
| Flutter Secure Storage | ✅ Done |
| POST /logout before clear | ✅ Done |
| Generic error messages | ✅ Done |
| HTTP timeout (30s / 120s uploads) | ✅ Done |
| Certificate pinning | ✅ Done |
| Root/jailbreak detection | ✅ Done |
| Session timeout (30 min) | ✅ Done |
| Google Maps key (local.properties / MapsConfig.xcconfig) | ✅ Done |
| Delete account (password confirmation, API call) | ✅ Done |
See Customer App Implementation List.
Shopkeeper App ✅​
| Item | Status |
|---|---|
| Flutter Secure Storage | ✅ Done |
| POST /logout | ✅ Done |
| Generic error messages | ✅ Done |
| Certificate pinning | ✅ Done |
| HTTP timeout (30s / 120s downloads) | ✅ Done |
API URL via --dart-define=BASE_URL | ✅ Done |
| PowerShell injection fix (sanitization) | ✅ Done |
| Filename path traversal sanitization | ✅ Done |
| Verbose logging reduction (kDebugMode) | ✅ Done |
| Session timeout (30 min idle) | ✅ Done |
| Token fallback restriction (no SharedPreferences in prod) | ✅ Done |
| File integrity verification (when API provides hash) | ✅ Done |
| Delete account (password confirmation, clears cache) | ✅ Done |
See Shopkeeper App (Windows) Audit.
Pending Items​
High Priority​
(None — shopkeeper app critical items implemented.)
Medium Priority​
(None — shopkeeper app items implemented.) | General | Refresh tokens | Short-lived access + refresh flow | | General | 2FA for admins | TOTP for admin accounts |
Low Priority​
| Component | Item |
|---|---|
| Frontend | Sensitive data in URLs (POST + temp tokens for downloads) |
| Frontend | Input sanitization (if rendering user HTML) |
| Customer App | Location privacy toggle |
| Customer App | App integrity checks (Play Integrity / App Attest) |
Security Checklist​
Backend​
- JWT validation (32+ chars)
- CORS (ALLOWED_ORIGINS)
- Rate limiting, body limit
- Error sanitization
- File upload security
- Security headers
- Password reset tokens (hashed, 30 min)
- Webhook verification
- Auth cookie, CSRF, logout
- Admin IP whitelist, audit logging
- Input validation (email/phone/XSS)
- 2FA for admins
Frontend Web​
- httpOnly cookie auth
- CSRF protection
- Security headers
- Generic error messages
- Logout clears session
- Input sanitization (if rendering user HTML)
Customer App​
- Secure Storage, logout, errors, timeout
- Certificate pinning, root detection
- Session timeout
- Location privacy toggle
- App integrity checks
Shopkeeper App​
- Secure Storage, logout, errors
- Certificate pinning (intermediate CA)
- HTTP timeout (30s / 120s)
- API URL config (
--dart-define) - PowerShell injection fix
- Path traversal sanitization
- Verbose logging reduction
- Session timeout (30 min idle)
- Token fallback restriction (production)
- File integrity verification (when API provides X-Content-SHA256)
Detailed Findings (Condensed)​
Backend — Completed​
All critical items implemented. See Status at a Glance.
Backend — Recommendations​
- Input validation: Use proper email/phone validation; sanitize before storage
- Session: Consider refresh tokens, shorter JWT expiry
- Database: Use SSL in production (
sslmode=require) - File access: Consider longer codes (8–10 chars), download rate limiting
Frontend — Completed​
All critical items implemented.
Frontend — Recommendations​
- API keys: Razorpay key ID is public by design (acceptable)
- Sensitive URLs: Consider POST + temp tokens for file downloads
Customer App — Completed​
Critical and high items done. See Customer App Implementation List.
Shopkeeper App — Completed​
Critical and high items implemented (certificate pinning, HTTP timeout, PowerShell injection fix, path traversal, verbose logging). See Shopkeeper App (Windows) Audit. Session timeout remains pending.
General Recommendations​
- Logging: Structured logging, auth/file/payment audit
- Dependencies: Dependabot, vulnerability scanning (Snyk, OWASP)
- Backups: Regular DB backups, encrypted, test restore
- Testing: Security tests in CI, penetration testing before/after deployment
- Incident response: Define breach procedures, monitoring, drills
Changelog​
Feb 2026 — Backend: GDPR GET /delete-data page for Play Store; ShopkeeperActivity middleware for web activity (shop auto-close). Admin: PUT /admin/app-downloads for Download Apps page links.
Feb 2026 — Shopkeeper app: Certificate pinning, HTTP timeout, API URL config, PowerShell injection fix, path traversal, verbose logging, session timeout (30 min idle), token fallback restriction, file integrity verification. All pending items implemented.
Feb 2026 — Document restructured for clarity.
Jan 31, 2026 — Customer app: Secure Storage, certificate pinning, root detection, session timeout. CSRF Bearer-only exemption for API clients. ConfirmQueuePrint error handling. Shopkeeper Windows audit added.
Jan 30, 2026 — Backend: JWT, CORS, rate limiting, file upload security, auth cookie, CSRF. Frontend: httpOnly cookie, CSRF, security headers, safeError.
Jan 26, 2026 — Initial audit; 10 critical vulnerabilities identified.