Vista General de Seguridad
FeedbackPulse SaaS is built with security as a top priority. This page documents all security measures in place.
Seguridad Layers
Transport Seguridad
| Feature | Implementation |
|---|---|
| HTTPS | Enforced via SESSION_SECURE_COOKIE=true and redirect middleware |
| HSTS | Strict-Transport-Seguridad: max-age=31536000; includeSubDomains |
| Seguridad Headers | Applied by SeguridadHeaders middleware on every response |
Authentication
| Feature | Implementation |
|---|---|
| Password Hashing | Bcrypt with 12 rounds |
| Two-Factor Auth | TOTP via authenticator apps (Google Authenticator, Authy) |
| Social Login | OAuth2 with Google and GitHub |
| Email Verification | Required before accessing dashboard |
| Signed URLs | Used for team invitations (7-day expiry) |
| Session Encryption | Sessions encrypted at rest |
Authorization
| Feature | Implementation |
|---|---|
| Role-Based Access | 4 roles: superadmin, tenant_admin, tenant_staff, customer |
| Middleware Guards | Route-level access control |
| Tenant Isolation | Global scope prevents cross-tenant data access |
| Plan-Based Gates | Caracteristicas locked behind subscription plan |
Application Seguridad
| Feature | Implementation |
|---|---|
| CSRF Protection | Laravel CSRF tokens on all forms (except webhooks/widget) |
| XSS Prevention | Blade {{ }} auto-escaping |
| SQL Injection | Eloquent parameterized queries |
| Mass Assignment | Model $fillable whitelisting |
| Rate Limiting | Per-route throttling (5-120 req/min) |
API Seguridad
| Feature | Implementation |
|---|---|
| API Key Hashing | SHA256 hashed storage |
| Per-Tenant Rate Limits | 60 requests/minute per tenant |
| Key Rotation | Revoke old keys, create new ones |
| Last Used Tracking | last_used_at timestamp updated on every use |
Data Seguridad
| Feature | Implementation |
|---|---|
| Sensitive Data Encryption | Platform settings encrypted at rest |
| GDPR Compliance | Data export, deletion, anonymization tools |
| Data Retention | Auto-delete old data per plan retention policy |
| Audit Logging | Every significant action tracked with IP and user agent |
| CSV Injection Prevention | Formula characters sanitized in exports |
Webhook Seguridad
| Feature | Implementation |
|---|---|
| HMAC Signatures | SHA256 signatures on outbound webhooks |
| SSRF Protection | Blocks localhost, private IPs in webhook URLs |
| Stripe Verification | Webhook signature verification |
| Event Deduplication | Prevents double-processing via event ID tracking |
HTTP Seguridad Headers
Applied by the SeguridadHeaders middleware:
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: [configured per deployment]