Rhyme infrastructure is secured with SSL certificates which are automatically renewed without manual intervention and notify on renewal failure. All communication to our services is done over HTTPS. Traffic coming from HTTP is redirected to HTTPS. Our services include HTTP headers for HSTS and protection against XSS attacks, clickjacking, and MIME confusion attacks.
WebSocket Connections are only served over TLS. The websocket API requires an additional level of authorization through JWT tokens to allow the user to communicate with the API services.
SSL2, SSL3, TLS 1.0, and TLS 1.1 are blocked. Only TLS 1.2 is allowed. In future, support for TLS 1.3 will be added. Not vulnerable to DROWN, Hearbleed, etc.
User password is bcrypted and never logged. Passwords cannot be decrypted or reviewed under any circumstances. User can only send request to reset password by verifying ownership of email address. Users are encouraged to create long passwords containing multiple words. Password managers are supported in all login and sign up forms.
Credit card processing runs on and follows security practices of Stripe. Credit card information is handled by Stripe for PCI-DSS compliance.
After the user is logged in, all content is served via JWT (30 days duration).
Virtual Private Cloud
VPC is used to limit communication between virtual machines and Rhyme backend servers. All security group configurations are done using private IP addresses within the VPC.
The database runs on and follows security practices of AWS RDS. These database instances do not use public IP addresses and are accessible only from security groups that are applicable only to the Rhyme backend servers. Database is backed up using AWS RDS backup functionality. Restores are frequently verified.
SSH is allowed only with public-key connections. Password and root logins are disabled.
Internal monitoring services monitor the whole infrastructure about anomalous activities, infrastructure load, and potential breaches.
Infrastructure is deployed and configured automatically.
To prevent human error, theft, fraud, and misuse of facilities, all team members go through personnel screening and recommendations. They have to sign mandatory confidentiality agreements.
All developers are required to utilize disk encryption on their computing devices, enable their operating system’s security updates, and use a firewall.
Access control policies govern the access to resources like servers, databases, and other core systems. The default access rule is “deny” and access is explicitly provided only to the resources that are required for team members to perform their duties.
Access logs are maintained for access to servers, databases, and other core systems.