Security Policy

Last updated: May 22, 2026

Cyber Command Center is a portfolio and training workflow project. It is not a certified enterprise platform, managed SOC service, or place to store sensitive client data, lab credentials, payment details, or production incident evidence.

Security Model

The app has two operating modes:

Guest mode: progress, notes, study sessions, and simulation events stay in browser local storage and are not synced by the app.
Signed-in mode: the browser talks to the self-hosted API at https://c3-api.mdpstudio.com.au. The API owns auth, sessions, CSRF checks, user scoping, export, and deletion.

PostgreSQL is private to Docker. Browser code must never receive database credentials, Google client secrets, SMTP secrets, service-role keys, or backup credentials.

Current Controls

Optional guest mode for no-account use.
Email/password auth and Google OAuth through the self-hosted API.
Simulation-risk tracking records drill metadata only. It does not send phishing messages, automate learners, or provide an enterprise admin console.
Optional authenticator MFA for email/password accounts. Once enabled, password login requires a valid 6-digit TOTP code before a session is issued.
High-risk account actions are marked in the dashboard. Account deletion requires an MFA step-up code when MFA is enabled.
Bcrypt password hashes and hashed server-side session tokens.
HttpOnly, Secure, SameSite=Lax session cookies in production.
Allowed-origin and CSRF checks for state-changing signed-in routes.
Server-side per-user access control on progress, notes, sessions, simulation events, export, and deletion.
Notes render through React text and textarea paths, not raw HTML injection paths.
External links use safe new-tab attributes.
Netlify security headers block framing, MIME sniffing, camera, microphone, and geolocation permissions.
An enforcing Content Security Policy allows the app, Google Fonts, and https://c3-api.mdpstudio.com.au.

Data Lifecycle

Guest mode

Guest progress, notes, sessions, and simulation events stay in browser local storage until you clear site data or use the Privacy Controls panel.

Signed-in mode

Account identity, authenticator MFA state if enabled, progress, notes, study sessions, and simulation-risk events are stored in the self-hosted PostgreSQL database until the account is deleted. Deleted records may remain in backups for the configured backup retention window.

Data minimization

Do not store passwords, API keys, client data, payment details, private lab credentials, or live incident evidence in notes or simulation-event labels.

Privacy Controls

The signed-in dashboard includes a Privacy Controls panel with two self-service actions:

Export My Data: downloads a JSON snapshot of your profile, task progress, notes, study sessions, and simulation events. In guest mode it dumps the corresponding local-storage keys instead.
Authenticator MFA: email/password users can generate a TOTP setup key, verify one code, and later disable MFA only after entering a valid code.
Delete My Account: behind a "type DELETE to confirm" guard, and an MFA code when enabled, calls the backend deletion route, removes your account and user-scoped app data, clears local guest keys defensively, and reloads.

Content Security Policy

A Content-Security-Policy header is shipped from netlify.toml and nginx.conf. It allows the asset domains the app currently needs and reports violations to https://c3-api.mdpstudio.com.au/api/csp-report.

The policy was promoted after the remote API, tunnel, migration, backup restore, and production API smoke tests passed.

Known Gaps

No formal compliance certification, uptime SLA, DPA, SSO/SAML, audit-log export, or enterprise admin console.
The MFA pilot still needs browser validation with the first small user group, including sign-in friction and recovery handling.
Incident response is manual and best effort.

Incident Reporting

Email [email protected] with the subject Security report: Cyber Command Center.

Include the affected URL or file path, reproduction steps, expected and actual result, browser/device details if relevant, and screenshots or logs with secrets removed.

Do not include passwords, API keys, private account data, payment details, client data, or third-party platform secrets. Do not publicly disclose an unfixed issue until it has been triaged.