Security and backups

Application security baseline

• Server-side validation on every form.
• Session and role checks for admin routes.
• Rate limit sensitive authentication endpoints.

File and media protection

• Allow only supported image and PDF formats.
• Reject oversized uploads and suspicious MIME types.
• Store uploads in controlled folders with strict naming.

Recovery readiness

• Daily database backups with retention policy.
• Monthly restore drills in staging environment.
• Incident log includes root cause and resolution notes.