Security
Built to support
TPN-compliant workflows.
Centrik is self-hosted by design. The controls below describe what we provide; your facility's physical security, network controls, and organisational policies remain under your control — as TPN expects.
Centrik is TPN-aligned — its technical controls follow the MPA Content Security Best Practices (CSBP). It is not yet TPN-certified; a formal Gold Shield assessment is a roadmap item, not a current claim. See roadmap.
Authentication & Access Control
MPA CSBP: DS-10, DS-12
- Password hashing
- bcrypt with cost factor 12; legacy hashes upgrade lazily on next successful login.
- Password complexity
- 12-character minimum, mixed case, digit, special character — enforced server-side on every password-setting endpoint.
- Mandatory rotation
- 90-day expiration on local accounts. Login is blocked until the user sets a new password.
- Multi-factor authentication
- TOTP (Google Authenticator, Authy, etc.) with 10 single-use backup codes. Mandatory for external users; optional for internal staff.
- Account lockout
- Five failed login attempts trigger a 15-minute lockout. Admin unlock available.
- Rate limiting
- Auth endpoints: 10 attempts per 15 minutes per IP+email. Password reset: 3 per hour per email. API: 100 req/min.
- Role-based access control
- Eight-tier hierarchy (admin → producer → supervisor → lead → senior_artist → artist → junior_artist → client) enforced on every protected route.
- Account provisioning
- Self-registration disabled. Access-request workflow with admin or supervisor approval required.
- Session management
- 30-minute inactivity timeout, single-session enforcement (optional), JWT tokens with configurable expiry (default 24h).
Audit Logging
MPA CSBP: DS-11
- Authentication events
- Login success/failure, logouts, lockouts, password changes, 2FA setup/disable.
- Content access events
- Proxy access, media streaming, thumbnail access — all logged with user, IP, timestamp.
- Administrative actions
- Password resets, role changes, account creation/deletion. Critical actions flagged.
- Retention policy
- Two-stage retention: 90 days hot in PostgreSQL (queryable, fast), then 365 days archived to JSON files on disk (slow-recall), then purged. Both windows are operator-extendable via env vars (TPN minimum 90 days hot is enforced).
- Automated cleanup
- Daily cleanup job at 03:00 UTC archives expired DB rows to JSON and purges archive files past retention. The cleanup itself is audit-logged.
- Active alerting
- Email notifications to administrators on critical events — account lockouts, admin password resets, recovery-admin endpoint use — with in-memory throttling to prevent alert fatigue.
Encryption
MPA CSBP: DS-13, DS-14
- Secrets at rest
- AES-256-GCM with unique IV per value for sensitive system settings (SMTP credentials, integration tokens). Encryption key separable from auth signing key.
- Database at rest
- Delegated to the deployment infrastructure (LUKS, FileVault, AWS EBS encryption, etc.) — appropriate for self-hosted model.
- In transit
- HSTS (1-year max-age, includeSubDomains, preload) in production. Optional TLS for internal Postgres and Redis connections.
- Content access
- Signed, time-limited tokens for external reviewer media access. No direct file paths exposed.
Application Security
MPA CSBP: DS-18
- HTTP security headers
- Helmet.js: HSTS, frameguard (deny), noSniff, XSS filter, strict referrer policy, Content Security Policy in production.
- CORS
- Strict allowlist; unknown origins are rejected (fail-closed).
- SQL injection prevention
- Sequelize ORM with parameterized queries throughout. No raw SQL on auth or user-facing paths.
- XSS prevention
- React default escaping; no use of dangerouslySetInnerHTML in user-facing components.
- CSRF
- Stateless JWT in Authorization header (not cookies), eliminating the traditional CSRF surface.
Content Protection
MPA CSBP: DS-20
- Visible watermarking
- Configurable text overlay (position, opacity, font size) applied at delivery time. Supports timestamp and username burn-in.
- External reviewer scoping
- Magic-link review for clients and outside collaborators is email-verified, time-limited, and scoped to specific review rooms — never the broader project.
- Default secrecy
- Open self-registration disabled by default. New users require admin or supervisor approval before any content access.
Patch & Vulnerability Management
MPA CSBP: DS-9, DS-17
- Dependency auditing
- Automated npm audit checks every 60 seconds; CRITICAL and HIGH severity findings alert to log.
- File integrity monitoring
- SHA-256 baselining of critical files (auth middleware, server entry, package-lock). Drift detection logs.
- Suspicious code pattern scanning
- Continuous scan for eval, child_process.exec with user input, hardcoded credentials, and SQL injection patterns.
Deployment & Network
MPA CSBP: —
- Self-hosted model
- Customer controls their own infrastructure, network segmentation, and physical security — appropriate for TPN-aligned facilities.
- Reverse-proxy friendly
- No hardcoded localhost assumptions. Deploys cleanly behind nginx, Caddy, or any TLS-terminating reverse proxy.
- VPN / air-gap compatible
- Pure HTTP/HTTPS; no outbound dependencies for core review and tracking flows. Suitable for closed-network facility deployments.
Reporting a vulnerability
If you believe you've found a security issue in Centrik, please report it privately before public disclosure. We aim to acknowledge reports within two business days.
Email: drew@tradecraftvfx.com
Machine-readable contact details follow
RFC 9116:
/.well-known/security.txt
Roadmap
Honesty on what isn't done yet:
- Forensic watermarking
- Per-viewer, recoverable-from-screen-capture watermarks. Visible watermarking is implemented today; forensic is planned for studio-tier deployments.
- Formal TPN Gold Shield assessment
- Centrik's controls are TPN-aligned today. A formal third-party assessment is on the roadmap when a customer requires it.
- Multi-channel alert routing
- Email alerting is implemented today. Additional channels (generic outbound webhook, Slack, PagerDuty) are planned for ops teams that want non-email routing.
- Independent penetration test
- A formal third-party penetration test is planned ahead of the first studio-tier deployment.