Skip to content
TruePPM

Security

Authentication

Section titled “Authentication”

TruePPM uses JWT (JSON Web Tokens) via djangorestframework-simplejwt:

  • Access token — short-lived, included in every API request as Authorization: Bearer <token>
  • Refresh token — longer-lived, used to obtain new access tokens via POST /api/token/refresh/
  • Token lifetimes are configurable in Django settings

WebSocket connections authenticate via ?token=<jwt> on the connection URL.

HTTPS

Section titled “HTTPS”

TruePPM does not terminate TLS itself. In production, place a reverse proxy in front of the API and web services:

  • nginx — configure with proxy_pass to the API container
  • Caddy — automatic TLS with Let’s Encrypt
  • Cloud load balancer — AWS ALB, GCP HTTPS LB, etc.

Ensure WebSocket upgrade headers are forwarded correctly.

Database security

Section titled “Database security”
  • PostgreSQL should not be exposed to the public internet
  • Use network policies or firewall rules to restrict access to the API and Celery containers
  • Use a strong, unique password for the trueppm database user
  • Enable PostgreSQL SSL in production

Redis security

Section titled “Redis security”
  • Redis has no authentication by default — in production, use requirepass or a private network
  • Redis is used as a cache and broker; it does not store persistent data
  • If Redis is compromised, an attacker could inject WebSocket events or manipulate the Celery task queue

Secret management

Section titled “Secret management”
SecretWhere it’s usedImpact if leaked
SECRET_KEYDjango session signing, JWT signingFull account takeover — attacker can forge any session or token
DATABASE_URLPostgreSQL connectionFull data access
REDIS_URLCelery broker, Channels layerTask injection, event spoofing

RBAC enforcement

Section titled “RBAC enforcement”

All API endpoints enforce role-based access control. See the RBAC documentation for the full permission matrix.

Key security properties:

  • No global admin role — permissions are scoped to individual projects
  • Role escalation prevention — you can only assign roles below your own
  • IDOR prevention — querysets are scoped to the user’s project memberships; non-members see empty results, not 403 errors
  • Last-Owner guard — prevents accidental removal of all project owners

Reporting vulnerabilities

Section titled “Reporting vulnerabilities”

If you discover a security vulnerability in TruePPM, please report it responsibly via the GitLab repository. Do not open a public issue for security vulnerabilities.