Security Requirements - Football Field Booking System
Version: 1.0 Last Updated: 2026-01-13 Owner: Security Lead / Tech Lead Applies to: API Gateway + all microservices + databases + Kafka + Redis + Keycloak + CI/CD + deployments
1) Security Objectives
- Protect customer data (PII), booking data, payment references, and audit logs.
- Prevent unauthorized access (authn/authz correctness).
- Ensure integrity of bookings (no double-booking, no tampering) and payments (no duplicate charges).
- Reduce blast radius through least privilege and segmentation.
- Detect and respond to incidents quickly using logs/traces/alerts.
2) Threat Model (High Level)
2.1 Assets
- User PII: email, phone, profile details, Zalo identifiers.
- Booking data: fieldId, userId, timeslots, receipts.
- Payment data: provider transaction IDs, payment status (no raw card storage).
- Auth tokens: access/refresh tokens, Keycloak credentials.
- Infrastructure secrets: DB passwords, Redis password, Kafka credentials, webhook secrets.
2.2 Trust Boundaries
- Public internet → API Gateway
- API Gateway → internal services network
- Services → datastores (Postgres/Mongo/Redis)
- Services → Kafka
- External providers → payment webhooks endpoints
2.3 Common Attack Scenarios
- Credential stuffing / brute force against auth endpoints.
- Token theft and replay.
- Broken access control (IDOR) for bookings/fields.
- Double booking via race conditions.
- Payment webhook forgery / replay (fake “payment success”).
- Injection attacks (SQL/NoSQL), SSRF, path traversal, deserialization.
- Supply chain attacks (malicious dependency, compromised CI runner).
- Data exfiltration from logs/secrets.
3) Authentication Requirements (Keycloak / OIDC)
SEC-1: Centralized Authentication
Priority: P0
Requirements
- Use Keycloak (OIDC) as the identity provider.
- API Gateway must validate access tokens:
- signature verification
- issuer (
iss) and audience (aud) checks - token expiration
- nonce/state where applicable for browser flows
- Services must accept identity context from gateway and/or re-validate tokens (defense in depth).
SEC-2: Token Policy
Priority: P0
Requirements
- Access token TTL: 15 minutes
- Refresh token TTL: 7 days
- Rotate refresh tokens on use (recommended).
- Support forced logout / token revocation for compromised accounts.
SEC-3: MFA (Phase 2)
Priority: P2
- Require MFA for
ADMINusers and sensitive operations (e.g., approving fields, refunds).
4) Authorization Requirements (RBAC + Resource-level)
SEC-4: Role-Based Access Control
Priority: P0
Roles
ADMIN: system administration, approvals, refunds.OWNER: manage own fields, view own bookings.CUSTOMER: search and create/manage own bookings.
SEC-5: Resource-Level Authorization (Anti-IDOR)
Priority: P0
Requirements
- Booking endpoints:
- Only booking owner (or admin) can view/cancel a booking.
- Field endpoints:
- Only field owner (or admin) can update field details.
- Profile endpoints:
- Only the user (or admin) can update profile.
Acceptance Criteria
- Attempts to access others’ resources return 403 (or 404 where appropriate).
5) API Security Controls
SEC-6: Rate Limiting & Abuse Protection
Priority: P0
Requirements
- Enforce rate limiting at API Gateway:
- Auth endpoints: 5 req/min/user or IP
- Default: 100 req/min/user
- Payment endpoints: 10 req/min/user
- Add IP-based throttling for unauthenticated endpoints (search).
- Implement account lockout / captcha after repeated failures (Phase 2).
SEC-7: Input Validation & Schema Enforcement
Priority: P0
Requirements
- Validate all incoming payloads with strict DTO validation (no unknown fields unless explicitly allowed).
- Enforce content-type (
application/json) where applicable. - Normalize and validate time fields for bookings (UTC).
SEC-8: CORS, CSRF, Security Headers
Priority: P0
Requirements
- CORS allowlist only for trusted origins (web frontend domains).
- If using cookies for auth, enable CSRF protection (double-submit or same-site cookies + CSRF token).
- Enable security headers at gateway (e.g.,
X-Content-Type-Options,X-Frame-Options,Content-Security-Policyas needed).
6) Data Security
SEC-9: Encryption in Transit
Priority: P0
Requirements
- Use TLS 1.2+ (prefer TLS 1.3) for:
- Client → gateway
- service → service (mTLS recommended in Kubernetes)
- service → DB (where feasible)
SEC-10: Encryption at Rest
Priority: P1
Requirements
- Enable disk encryption at node/storage level (K8s volumes / cloud-managed storage).
- Protect database backups with encryption and access controls.
SEC-11: Secrets Management
Priority: P0
Requirements
- Never store secrets in git.
- Use Kubernetes secrets (or Vault) for:
- DB passwords
- Redis password
- Kafka credentials (if enabled)
- payment webhook secrets
- email/ZNS provider API keys
- Rotate secrets at least quarterly (or immediately after incident).
SEC-12: Logging & PII Redaction
Priority: P0
Requirements
- Do not log:
- passwords
- tokens
- full payment payloads containing sensitive data
- Mask/obfuscate PII where possible (email/phone partial).
- Store audit logs separately from app logs (logical separation at minimum).
7) Payment Security (PCI & Webhooks)
SEC-13: PCI-DSS Compliance Boundary
Priority: P0
Requirements
- Never store raw card data.
- Store only:
- provider payment intent id
- provider transaction id
- last4/brand (optional) if provided and allowed
SEC-14: Webhook Verification & Replay Protection
Priority: P0
Requirements
- Verify webhook signatures (Stripe/VNPay) using configured secrets.
- Reject unsigned/invalid signature payloads with 401/400.
- Implement idempotency:
- deduplicate on provider event id
- safe retries (at-least-once delivery)
- Record webhook receipt with traceId/requestId for audit.
- Validate event type and booking/payment mapping before updating state.
8) Infrastructure & Network Security
SEC-15: Network Segmentation
Priority: P1
Requirements
- In Kubernetes, use NetworkPolicies:
- Only gateway accepts inbound from internet.
- Services can only talk to required dependencies.
- Datastores not exposed publicly.
SEC-16: Least Privilege (DB/Kafka/Redis)
Priority: P0
Requirements
- Separate DB users per service with minimal grants.
- Restrict Kafka ACLs (publish/consume only needed topics).
- Redis password required (already in docker-compose) and protected.
SEC-17: Container & Runtime Hardening
Priority: P1
Requirements
- Run containers as non-root.
- Read-only root filesystem where possible.
- Pin base images and apply security updates regularly.
- Configure resource limits (CPU/memory) to mitigate DoS.
9) Application Security (OWASP ASVS / Top 10)
SEC-18: Injection Prevention
Priority: P0
- Use parameterized queries/ORM (TypeORM).
- Validate and sanitize dynamic filters for search endpoints.
- For MongoDB, avoid direct
$whereor untrusted query operators.
SEC-19: SSRF & External Requests
Priority: P1
- Any outbound HTTP calls must use allowlists for hosts (payment/notification providers).
- Disallow arbitrary URL fetching from user input.
SEC-20: File Upload Security (Avatar/Images)
Priority: P1
- Enforce file size limit and allowed content types.
- Virus scanning (Phase 2).
- Store uploads in object storage (preferred) and serve via CDN.
10) Auditing & Compliance
SEC-21: Audit Logging
Priority: P1
Audit events
- Admin actions (field approvals, user bans, refunds)
- Payment status transitions
- Booking cancellations
Retention
- Minimum 1 year (or per local regulation / thesis requirements).
11) Security Testing Requirements
SEC-22: Automated Security Checks in CI
Priority: P0
- Dependency vulnerability scanning (npm audit / SCA tool).
- Static analysis (CodeQL already present in repo).
- Secret scanning (pre-commit + CI).
SEC-23: DAST / Pen Testing (Phase 2)
Priority: P2
- Run OWASP ZAP baseline scan against staging.
- Perform manual testing for:
- IDOR
- auth bypass
- webhook forgery
SEC-24: Test Plan (Minimum)
Priority: P0
- Auth tests: invalid token, expired token, wrong audience.
- Authorization tests: attempt to access others’ bookings/fields.
- Rate limit tests: login brute force thresholds.
- Webhook tests: invalid signature and replayed events.
- Input validation tests: invalid time ranges, negative prices, oversized payloads.
12) Incident Response Plan
SEC-25: Detection & Triage
Priority: P1
- Alerts for:
- error rate spikes
- auth failures spikes
- payment webhook verification failures
- suspicious admin actions
SEC-26: Containment
Priority: P1
- Rotate secrets and revoke tokens.
- Disable compromised accounts.
- Block abusive IPs at gateway/WAF.
SEC-27: Recovery & Postmortem
Priority: P1
- Restore from backups if integrity compromised.
- Publish postmortem with action items and owner/ETA.
13) Security Acceptance Criteria (Release Gate)
Before production release:
- [ ] All endpoints protected as designed (except explicitly public).
- [ ] Role + resource authorization tests passing.
- [ ] Webhooks signature verification implemented and tested.
- [ ] No secrets committed; secret scanning enabled.
- [ ] Audit logging exists for admin + payment actions.
- [ ] Vulnerability scan has no critical/high issues (or documented mitigations).
Document Version: 1.0 Last Updated: 2026-01-13 Owner: Security Lead / Tech Lead