Is My Data Secure?
Witzo provides application-level security protections, while overall security depends on your deployment configuration.
Overview
Witzo is built with multiple backend protections to secure data, prevent abuse, and reduce common web vulnerabilities. These protections work at application level.
Infrastructure-level security depends on how and where you deploy the platform.
Application-Level Security Controls
Helmet Security Headers
Witzo uses helmet middleware to set secure HTTP headers. These include:
- Content Security Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Strict-Transport-Security (when HTTPS enabled)
These headers reduce clickjacking, MIME sniffing, and injection risks.
CSRF Protection
- Mutating protected routes (such as dashboard updates) use CSRF verification.
- This prevents unauthorized third-party requests from executing actions on behalf of logged-in users.
- Public chat endpoints are designed separately and do not rely on session cookies.
CORS Protection
- Witzo enforces CORS origin checks.
- Only allowed domains can interact with protected endpoints.
- This prevents external domains from misusing API routes.
Input Sanitization
All incoming data is sanitized before processing. This reduces the risk of:
- Script injection
- Malformed payload abuse
- Database manipulation attempts
Request Validation
- Request validation middleware ensures required fields are present and correctly formatted.
- Invalid or unexpected data is rejected before reaching business logic.
Production Hardening Considerations
Application security alone is not enough. Production deployment should also include:
- HTTPS with valid TLS certificates
- Firewall rules
- Database access restrictions
- Environment variable protection
- Secure Redis configuration
- Regular dependency updates
note
Security posture depends on infrastructure setup.
Important Notes or Limitations
Encryption in transit depends on HTTPS configuration.Encryption at rest depends on your database and hosting provider.Security headers are active, but CSP tuning may require deployment-specific adjustments.