Security Guide - JagWell Documentation

Security Overview

JagWell is built with security as a top priority. The application implements multiple layers of security to protect user data and maintain privacy.

Authentication Security

Password Security

All passwords are securely hashed using bcrypt with a salt rounds value of 10. The system never stores plain text passwords.

JWT Tokens

Authentication is handled using JSON Web Tokens (JWT) with the following security measures:

  • Tokens expire after 1 day
  • Tokens are stored in HttpOnly cookies to prevent XSS attacks
  • Token secrets are stored in environment variables
  • Stateless authentication for scalability

Data Security

Database Security

The application uses SQLite with the following security practices:

  • All database queries use parameterized statements to prevent SQL injection
  • Role-based access controls limit what data users can access
  • Database connection is properly closed after each operation

Privacy Protection

Personal health information is protected in several ways:

  • All sensitive data is stored locally in the institution's database
  • Patient records are accessible only to authorized personnel
  • Anonymous wellness trends are available for statistical analysis
  • Student IDs are provided by the school and not the wellness app

Content Security Policy (CSP)

JagWell implements a strict Content Security Policy via Helmet to prevent XSS attacks:

CSP Directives

  • script-src-attr 'none': Prohibits inline event handlers (onclick, onchange, etc.)
  • script-src 'self': Only allows scripts from the same origin
  • style-src 'self' 'unsafe-inline': Allows styles from same origin and inline styles
  • All other directives follow Helmet's default secure policies

Compliance Guidelines

When developing features, follow these CSP-compliant patterns:

  • Use addEventListener to attach event handlers in JavaScript files
  • Create elements programmatically using document.createElement()
  • Attach event listeners directly to created elements using addEventListener()

Server Security

Helmet Middleware

Helmet is used to secure HTTP headers:

  • Hide potentially sensitive information in the X-Powered-By header
  • Add X-Content-Type-Options header to prevent MIME-type sniffing
  • Include X-Frame-Options header to prevent clickjacking
  • Add Strict-Transport-Security header for HSTS

Environment Security

Sensitive information is properly protected:

  • JWT secrets and other sensitive data are stored in .env files
  • The .env file is in .gitignore and not included in the repository
  • Server configurations are kept separate from application code

Role-Based Access Control

JagWell implements a multi-tier permission system:

Admin Permissions

  • Manage users (create, edit, delete)
  • Edit patient information (excluding patient ID)
  • Edit wellness records (excluding critical IDs)
  • Manage treatments

Doctor Permissions

  • Manage patients
  • Log and edit wellness records
  • Manage treatments
  • View wellness trends

Student Permissions

  • Log their own wellness data
  • View their own wellness history
  • View their own wellness trends

Security Best Practices

For Administrators

  • Regularly audit user accounts and permissions
  • Keep the application updated to the latest version
  • Monitor access logs for unusual activities
  • Use strong, unique passwords for all accounts

For Healthcare Providers

  • Only access patient information when necessary for care
  • Log out of the system when leaving your workstation
  • Verify patient identity before updating records
  • Report any suspicious activities

For Students

  • Use strong passwords and don't share your account
  • Log out of shared computers
  • Report any unusual account activity
  • Only enter accurate wellness information