Skip to main content

Security

Terra uses defense-in-depth: multiple layers of protection for sensitive data.

Security Utilities

All security functions live in src/lib/security.ts:
FunctionProtects Against
getSafeRedirectPath()Open redirect attacks
sanitizeStoragePath()Path traversal
cleanFileName()Malicious filenames
isValidExternalUrl()Protocol injection

XSS Prevention

All user-generated HTML is sanitized: 
import DOMPurify from "isomorphic-dompurify";

const safeHtml = DOMPurify.sanitize(userContent);

Path Traversal Protection

Three-layer validation for file paths: 
// Layer 1: Client sanitizes filename
const safe = cleanFileName("../../evil.exe"); // "evil.exe"

// Layer 2: Server constructs safe path
const path = buildSafeStoragePath(formId, fileId, safe);

// Layer 3: Final validation
const validated = sanitizeStoragePath(path);

Open Redirect Prevention

function getSafeRedirectPath(path: string): string {
  // Must start with /
  if (!path.startsWith("/")) return "/";

  // No protocol injection
  if (path.includes("://")) return "/";

  // No double slashes
  if (path.startsWith("//")) return "/";

  return path;
}

Rate Limiting

EndpointLimit
Form submissions30/minute
Webhooks500/minute
API routes100/minute

Fail-Secure Pattern

// When in doubt, deny access
try {
  const user = await checkPermission();
  if (!user) throw new Error("No user");
  return user;
} catch {
  // ANY error = no access
  throw new Error("Unauthorized");
}

Encryption

PII encryption

Authentication

Auth security