Security Overview

Comprehensive security guide for the AllureLMS SCORM API.

Table of Contents

• Security Architecture
• Authentication Methods
• Data Protection
• Network Security
• Compliance
• Security Best Practices

Security Architecture

Defense in Depth

The SCORM API implements multiple layers of security:

1. Network Layer: HTTPS/TLS encryption
2. Authentication Layer: API keys and Clerk sessions
3. Authorization Layer: Scopes and tenant isolation
4. Application Layer: Input validation and sanitization
5. Database Layer: Row Level Security (RLS)
6. Storage Layer: Encrypted storage and access controls

Security Principles

• Least Privilege: Users and API keys have minimum required permissions
• Defense in Depth: Multiple security layers
• Fail Secure: Errors don't expose sensitive information
• Audit Trail: All actions are logged
• Regular Updates: Security patches applied promptly

Authentication Methods

API Key Authentication

Use Case: Server-to-server communication

Security Features:

• SHA-256 hashing (never stored in plain text)
• Scope-based permissions (read, write, admin)
• Expiration dates
• Revocation support
• Tenant isolation

Best Practices:

• Rotate keys every 90 days
• Use different keys per environment
• Store keys in secure secret management
• Never commit keys to version control

Clerk Authentication

Use Case: Web application users

Security Features:

• OAuth 2.0 / OpenID Connect
• Session management
• Multi-factor authentication support
• Social login options

Best Practices:

• Enable MFA for admin users
• Use secure session cookies
• Implement session timeout
• Monitor for suspicious activity

Data Protection

Encryption

In Transit:

• All API communication uses HTTPS/TLS 1.2+
• Certificate pinning recommended
• HSTS enabled

At Rest:

• Database encryption
• Storage encryption
• Backup encryption

Data Isolation

Tenant Isolation:

• Row Level Security (RLS) policies
• Automatic tenant filtering
• Cross-tenant access prevented

Data Segregation:

• Separate storage per tenant
• Isolated database queries
• No data leakage between tenants

Token Security

Launch Tokens:

• HMAC-SHA256 signing
• Time-based expiration
• Minimum 32-character secrets
• Constant-time comparison

Dispatch Tokens:

• JWT-based tokens
• Scope restrictions
• Domain whitelisting
• Registration limits

Network Security

HTTPS/TLS

Requirements:

• TLS 1.2 or higher
• Valid SSL certificate
• Certificate chain validation
• HSTS headers

CORS Configuration

Allowed Origins:

• Configured per tenant
• Whitelist specific domains
• Prevent unauthorized access

Headers:

• Required headers only
• No sensitive headers exposed
• Proper preflight handling

Firewall Rules

Recommendations:

• Restrict access to known IPs (if possible)
• Use WAF for DDoS protection
• Monitor for suspicious traffic
• Implement rate limiting

Compliance

Data Privacy

GDPR Compliance:

• Right to access
• Right to deletion
• Data portability
• Privacy by design

Data Retention:

• Configurable retention policies
• Automatic cleanup
• Audit logs preserved

Security Standards

SOC 2:

• Access controls
• Encryption
• Monitoring
• Incident response

ISO 27001:

• Information security management
• Risk assessment
• Continuous improvement

Security Best Practices

For Developers

1. Never Commit Secrets:

   # Add to .gitignore
   .env.local
   .env.production
   *.key
   *.pem
   

2. Use Environment Variables:

   const apiKey = process.env.SCORM_API_KEY;
   if (!apiKey) {
     throw new Error('API key not configured');
   }
   

3. Validate Input:

   const schema = z.object({
     package_id: z.string().uuid(),
     user_id: z.string().min(1).max(255),
   });
   

4. Handle Errors Securely:

   // Don't expose internal errors
   if (error.status >= 500) {
     return 'Service temporarily unavailable';
   }
   

5. Use HTTPS:

   const url = 'https://scorm-api.allurelms.com';
   // Never use HTTP in production
   

For Administrators

1. Rotate Secrets Regularly:

   • API keys: Every 90 days
   • Launch tokens: Every 180 days
   • Database passwords: Every 90 days

2. Monitor Access:

   • Review API key usage
   • Check for suspicious activity
   • Monitor failed authentication attempts

3. Update Regularly:

   • Keep dependencies updated
   • Apply security patches
   • Review security advisories

4. Backup Securely:

   • Encrypt backups
   • Test restore procedures
   • Store backups securely

For End Users

1. Use Strong Passwords:

   • Minimum 12 characters
   • Mix of letters, numbers, symbols
   • Unique per service

2. Enable MFA:

   • Use authenticator apps
   • Backup codes stored securely
   • Regular review of devices

3. Be Cautious:

   • Don't share API keys
   • Verify email requests
   • Report suspicious activity

Security Checklist

Before Production

• All secrets are strong (32+ characters)
• HTTPS enabled and configured
• API keys rotated and secured
• Environment variables validated
• CORS configured correctly
• Rate limiting enabled
• Monitoring and alerting configured
• Backup and recovery tested
• Security audit completed
• Incident response plan documented

Ongoing Security

• Regular security updates
• Monitor for vulnerabilities
• Review access logs
• Rotate secrets regularly
• Test backup/restore
• Review security policies
• Train team on security
• Conduct security audits

Incident Response

If API Key Compromised

1. Immediately Revoke Key:

   # Via dashboard or API
   DELETE /api/admin/api-keys/{key_id}
   

2. Generate New Key:

   • Create replacement key
   • Update all integrations
   • Test new key

3. Review Access Logs:

   • Check for unauthorized access
   • Review recent API calls
   • Identify compromised data

4. Notify Affected Users:

   • If data accessed
   • Provide remediation steps
   • Update security procedures

If Data Breach Suspected

1. Contain Breach:

   • Revoke affected credentials
   • Isolate affected systems
   • Preserve evidence

2. Assess Impact:

   • Identify affected data
   • Determine scope
   • Document findings

3. Notify Stakeholders:

   • Internal team
   • Affected users (if required)
   • Regulatory bodies (if required)

4. Remediate:

   • Fix vulnerabilities
   • Strengthen security
   • Update procedures

Related Documentation

• API Key Security - API key best practices
• Data Isolation - Tenant isolation details
• Webhook Security - Webhook security
• Security Setup - Setup guide

---

Last Updated: 2025-01-15