Security overview
This is a legal platform — the data it carries is sensitive. The controls below are in force today; any deviation is treated as a P0 incident.
Transport
TLS 1.3 everywhere. HTTP Strict Transport Security with a six-month max-age and subdomain inclusion. No plain-HTTP endpoints.
Authentication
Phone-OTP only; no passwords to phish. Per-phone lockout after 5 wrong verifications (30-minute window). Per-IP burst limiting. Access tokens expire after 15 minutes; refresh tokens rotate every use and are stored as SHA-256 hashes. JWT signing keys support a kid header for rotation without mass logout.
Authorisation
Every document fetch re-verifies ownership server-side against the parent case/notice and refuses requests with even a single char of path traversal in the object key. Presigned URLs have a 5-minute TTL and are single-use in practice.
Data at rest
PostgreSQL on Neon (AES-256 at rest), documents in Cloudflare R2 (AES-256 at rest, object versioning enabled). Database credentials are surfaced only through Cloudflare Hyperdrive and never embedded in client bundles.
Secrets
All third-party secrets (Digio, Razorpay, Pingen, Bhashini, WhatsApp, Fast2SMS) are stored as Cloudflare Worker secrets, scoped per environment, and never echoed in logs. Webhook payloads are verified with HMAC-SHA256 using timing-safe comparison.
CSP & headers
A strict Content-Security-Policy restricts scripts and connections to our own domains and approved payment/eSign iframes. Permissions-Policy denies geolocation, USB, Bluetooth, and payment-request APIs the app never needs.
Observability
Cloudflare Workers Logpush with 10% head-sampling feeds a retained R2 bucket for ad-hoc investigation. Errors at severity ≥ error are forwarded to a paging channel.
Vulnerability disclosure
Please email security@onlinevakil.in with a detailed proof of concept. We commit to acknowledgement within 48 hours, triage within 5 business days, and a fix or mitigation plan within 30 days of validation. We do not pay bounties yet but we publicly credit reporters who request it.
What we do not do
We do not collect Aadhaar numbers, card PANs, or biometric data on our servers. These flow through regulated third parties (UIDAI via Digio, Razorpay) whose certifications cover them. We do not run personalised advertising or third-party tracking scripts.