# 04. Security, Compliance & Validation
## 1. Authentication & Authorization
### ERP System Authentication (Server-to-Server)
The system employs a multi-layered authentication strategy for incoming API requests:
1. **Token-Based Auth**: Each ERP/Customer is assigned a unique `current_token`. This must be passed in the `X-Customer-Token` header.
2. **IP Whitelisting**: Requests are only accepted if the originating IP address is found in the `incoming_host_validation` table for the corresponding customer. This prevents token-leakage-based attacks from unauthorized servers.
### Admin Dashboard Security
- **Middleware**: Protected by Laravel's built-in `auth` middleware.
- **Session Management**: Implements session regeneration on login and invalidation on logout to prevent session fixation and hijacking.
- **Password Policies**: Uses `Password::defaults()` which ensures strong character requirements.
---
## 2. Data Integrity & Verification
### Response & Webhook Signing (HMAC-SHA256)
To ensure that status updates haven't been tampered with during transit:
- The system signs all outgoing JSON payloads using `hash_hmac('sha256', $payload, $customer_token)`.
- The signature is sent in the `X-PB-Signature` header.
- ERP systems are expected to verify this signature using their shared secret (the token).
### Webhook Security (Inbound)
When receiving updates from Payment Gateways (Razorpay/CCAvenue):
- The system captures raw headers (e.g., `X-Razorpay-Signature`).
- Validation logic (within the PG drivers) verifies the authenticity of the signature using the gateway's secret key before updating transaction statuses.
---
## 3. Data Protection (PII & Sensitive Info)
### Sensitive Configuration
- **Encrypted Storage**: While current config is stored in JSON, it is recommended to ensure the database disk/volume is encrypted.
- **Environment Variables**: Sensitive system-wide keys (like `APP_KEY`) are stored in `.env` and never committed to version control.
### Transaction Privacy
- The system avoids storing full Credit Card numbers or CVVs. It only stores the gateway-provided reference IDs and metadata, remaining compliant with basic PCI-DSS principles by offloading sensitive data handling to the PG's hosted fields or checkout pages.
---
## 4. Key Security Recommendations
- **Token Rotation**: Implement a mechanism to rotate `current_token` periodically for ERP systems.
- **Rate Limiting**: Apply Laravel's rate limiter to the `create-payment-intent` and `payment/status` endpoints to mitigate Brute-force or DoS attempts.
- **Audit Logging**: While `payment_transactions` provides an audit of payments, an "Admin Action Log" would be beneficial to track who changed gateway credentials or whitelisted new IPs.