view our gallery
Read Our Reviews
Coupons & Offers
Free Consultation

December Special Up to 20% Off Entire Order – Plus Flexible Payment Options. See Details

Bithumen Be Login -

No immutable WORM storage; logs retained 90 days then rotated. | Control | Compliance (OWASP 2023 / NIST 800‑63B) | Findings | Risk Rating | |---------|---------------------------------------|----------|-------------| | Password storage | ✔ (bcrypt ≥ 10) | OK | Low | | Password policy | ✘ (no passphrase, no prohibited list) | Users may pick weak passwords | Medium | | MFA | ✔ (required for admin roles) | Optional for non‑admin, SMS OTP weak | Medium | | Transport security | ✔ (TLS 1.2+, HSTS) | OK | Low | | XSS/CSRF protection | ✔ (SameSite Strict cookies) not used – JWT in localStorage | Tokens exposed to XSS | High | | Session expiration | ✔ (30 min idle) | No absolute logout after password change | Medium | | Token revocation | ✘ (no blacklist) | Compromised JWT remains valid until expiry | High | | Brute‑force protection | ✘ (only IP‑based) | Credential stuffing possible | High | | Logging & alerting | ✘ (no real‑time alerts) | Anomalous logins may go unnoticed | Medium | | Secrets management | ✘ (env vars) | API keys and JWT secret in container env | High | | Compliance | ✔ GDPR (data‑subject rights) | No SOC 2/ISO 27001 for admin portal | Medium |

Prepared 13 April 2026 1. Executive Summary | Aspect | Current State | Strengths | Gaps / Risks | Recommendation | |--------|---------------|----------|--------------|----------------| | Authentication method | Username/Password + optional OTP (SMS/email) | Simple, widely understood | No password‑less, no adaptive MFA, OTP delivery can be intercepted | Implement WebAuthn/FIDO2 and adaptive risk‑based MFA | | Password policy | Minimum 8 characters, at least one digit/special char | Meets baseline OWASP | No password‑strength estimator, no prohibited‑password list, no password‑history enforcement | Adopt NIST‑SP 800‑63B guidelines (8‑12 char passphrases, password‑less options) | | Session management | JWT stored in localStorage, 30‑min inactivity timeout | Stateless, easy scaling | Vulnerable to XSS, token revocation not immediate | Move JWT to HttpOnly SameSite Strict cookies, add short‑lived access token + refresh token flow | | Rate‑limiting / brute‑force protection | Basic IP‑based throttling (5 attempts/5 min) | Mitigates simple attacks | No account‑level lockout, no captcha, no bot‑detection | Introduce progressive delays, captcha after 3 failures, device‑fingerprinting | | Logging & audit | Centralized log to ELK, logs login success/failure | Good visibility | No alerting on anomalous login patterns, logs not immutable | Enable immutable log storage (WORM) and SIEM alerts for geolocation anomalies | | Compliance | GDPR‑compliant, basic KYC for user accounts | Data‑subject rights respected | No SOC 2/ISO 27001 certification for BE admin portal | Pursue SOC 2 Type II audit for admin access | | User experience | Classic login page, “Remember me” toggle | Fast load (< 1 s) | No SSO integration, no social login, no password‑reset self‑service | Add SSO (SAML/OIDC) for enterprise admins, self‑service reset with secure token | | Infrastructure | Containerised (Docker) on Kubernetes (GKE), TLS 1.2+ | Scalable, automated deployment | No zero‑trust network segmentation, secret management via environment vars | Adopt secret manager (GCP Secret Manager), implement service‑mesh (Istio) zero‑trust policies | bithumen be login

Scalability is satisfactory; the main bottleneck would be under massive concurrent credential checks. Adding a read replica for auth queries can off‑load the primary. 9. Recommendations – Roadmap | Phase | Action | Owner | Effort (person‑days) | Target Completion | |-------|--------|-------|----------------------|-------------------| | 0 – Immediate | Migrate JWT storage to HttpOnly SameSite Strict cookies ; deprecate localStorage . | Front‑end & API teams | 10 | Q2 2026 | | 0 | Enable Content‑Security‑Policy (CSP) and Subresource Integrity to mitigate XSS. | Security team | 5 | Q2 2026 | | 1 – Short‑term (≤ 3 months) | Implement adaptive MFA (risk‑based, device fingerprint, geolocation). | Auth team | 15 | Q3 2026 | | 1 | Add per‑account lockout & CAPTCHA after No immutable WORM storage; logs retained 90 days

Signature Window & Door Replacement
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.