WHATS CRM HUB
Talk to Us

About Security

Security = Audit + Remediation

Security Is Not a Marketing Promise โ€” It Is an Audit Done to Completion

We do not say "we are secure". We show you the audit: 27 findings identified, 7 remediation phases, all closed before production cutover.

Many SaaS vendors say "your data is safe" without showing how. We are different. The Go backend and Vue frontend of WhatsCRM Hub were audited (read-only) in May 2026 by a senior engineering team, with 27 specific findings โ€” each tied to a concrete file:line in the code.

Each finding was closed in 7 sequential phases, starting from the most critical (cross-tenant data leak) down to hygiene (logging redact + security headers). Every fix had to ship with a regression test โ€” without a test, the fix was not considered done.

The result: 0 CRITICAL, 0 HIGH open, all MEDIUM and LOW findings remediated. The system is production-ready for paid multi-tenant SaaS.

27
finding diidentifikasi
7
fase remediasi
100%
CRITICAL + HIGH closed
Seven Security Pillars

What Do We Protect?

1. Multi-Tenant Isolation

Tenant A data will never leak to Tenant B. The X-Business-ID header is validated against user ownership in JWT + DB before any query runs. Every repository was audited (58 files), and a CI lint test automatically fails if a future developer adds a query without a business_id filter.

Cross-tenant data leak (CRITICAL) โ€” closed in Phase 0

2. Tokens That Do Not Leak

Access tokens are kept in-memory only (not in localStorage). Refresh tokens live in an httpOnly cookie, unreadable by JavaScript. WebSocket uses single-use tickets (TTL 30s), not JWT-in-URL โ€” preventing token leaks via proxy logs, browser history, or Referer headers.

Token leak via WebSocket URL (CRITICAL) โ€” closed in Phase 1

3. Brute-Force-Resistant Auth

Refresh token rotation uses atomic CAS โ€” if a replay attempt is detected, the entire user token chain is revoked (security incident response). 6-digit OTP is single-use with bcrypt cost 12. The rate limiter is fail-closed when Redis is down โ€” using an in-memory fallback so brute-force stays blocked even during infrastructure hiccups.

Refresh race + OTP reuse + rate-limit bypass (HIGHร—3) โ€” closed in Phase 2

4. Webhooks Cannot Be Spoofed

Webhooks from Meta (WhatsApp Business API) require HMAC signature verification in production โ€” startup fails fast if app_secret is empty. Payment gateways use subtle.ConstantTimeCompare (anti timing-attack). 24-hour replay protection: identical payloads in that window are rejected as duplicates.

Webhook spoof (HIGH) + Duitku timing attack (MEDIUM) โ€” closed in Phase 3

5. Browser Protection (CSRF + XSS)

All mutating endpoints (POST/PUT/PATCH/DELETE) are CSRF-protected, not just /auth/*. Vue 3 auto-escapes all interpolations โ€” chat user-input is rendered without v-html, so XSS via WhatsApp messages from attackers is blocked. Full security headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, CSP report-only.

CSRF coverage gap + missing security headers โ€” closed in Phase 4 + 6

6. Misconfig Cannot Ship to Prod

Production config is validated at startup โ€” the server refuses to start if TOKEN_ENCRYPTION_KEY is empty, JWT secret is shorter than 32 chars, or CORS wildcard * is set in production. File uploads are MIME-validated server-side (sniffing the first 512 bytes โ€” we do not trust client headers) โ€” an .exe renamed to .png is rejected.

Config footgun + MIME spoof (MEDIUMร—4) โ€” closed in Phase 5

7. Clean Logs (No PII Leak)

Production logs are auto-sanitized: SQL errors, stack traces, pointer addresses, and source paths are stripped before writing to file. Tokens, passwords, and secrets are never raw-logged โ€” only an 8-char prefix when needed for trace. Every request has a request-id for audit trails without exposing sensitive data.

Error sanitize + logging field redact โ€” closed in Phase 6
Standards We Follow

Aligned With Industry Standards

We do not claim "compliant" without basis โ€” we show which standards we benchmark against and which controls we have implemented.
OWASP ASVS Level 2

Application Security Verification Standard โ€” a globally accepted web app security checklist. Suited for SaaS storing sensitive customer data.

OWASP Top 10 (2021)

Specifically A01 (Broken Access Control), A02 (Cryptographic Failures), A05 (Security Misconfiguration), A07 (Auth Failures) โ€” all addressed in our audit.

GDPR (EU)

Tenant data stays in the customer region (or on the customer VPS for source license). No automatic cross-border transfers. Right of access + right to erasure are built into the model.

PDPL Saudi / LGPD Brazil / UU PDP Indonesia

Aligned with the regulations of our key markets. Multi-tenant isolation ensures one tenant's "delete my data" request never touches another tenant.

A Process, Not a One-Off Audit

Security Is a Continuous Discipline

The May 2026 audit is just a snapshot. Here is what we put in place so the security posture does not degrade over time.
Mandatory Regression Tests

Every fix must ship with a test โ€” without a test, the fix is not done. CI fails if a previously-fixed bug reappears.

Tenant Isolation Lint Test

Static analysis in CI scans every repository โ€” if a new query lacks the business_id filter, the build fails. Long-term anti-regression.

Periodic Review

The audit document is revisited at the end of each remediation phase, and at minimum once before every major production cutover.

Transparent Decision Log

Every security trade-off is documented in SECURITY.md โ€” why we chose option A over B, so future engineers understand the context.

Business Impact

Why This Matters For Your Business

Technical security sounds like an engineering concern, but its impact lands directly on revenue, retention, and how well you sleep at night.
Customer Trust

When customers know their business data is safe, they do not switch to competitors. Trust = retention = high LTV.

No Legal Exposure

A customer data breach can trigger fines under GDPR/LGPD/PDPL (up to 4% of annual revenue). Solid multi-tenant isolation = peace of mind.

Reputation Stays Intact

One viral data-leak incident on Twitter/LinkedIn can erase 5 years of branding. We have layered barriers in place to prevent it.

Enterprise Customers Pay Premium

Large corporate customers (the high-paying ones) require a security checklist before signing contracts. Transparent audit documentation = easier sales to the premium segment.

Want to See the Audit Details?

Our engineering team is open to a technical deep-dive โ€” including access to the full audit document (SECURITY.md, 468 lines) under NDA for enterprise customers in serious evaluation.

Schedule a Consultation Ask the Security Team