Audience: Backend, SecOps, Finance
βOutcomes: Safe uploads, secret hygiene, and minimal PCI footprint
File uploads (limits + AV + quarantine)
const upload = multer({ limits:{ fileSize:10*1024*1024, files:6 }, fileFilter:(req,file,cb)=>{ const ok = ['image/','application/pdf','text/','application/zip', 'application/msword','application/vnd.openxmlformats-officedocument.wordprocessingml.document']; cb(ok.some(t=>file.mimetype.startsWith(t))?null:new Error('File type not allowed'), ok); } });AV scan on arrival; quarantine suspicious.
Store outside web root; serve via signed URLs or role checks.
Secrets & rotation
Use a secrets manager; separate test/prod; least privilege.
Rotate webhook/API secrets regularly; audit rotation.
Encryption at rest
DB/object store provider encryption (AES-256);
For high-sensitivity fields use app-level envelope encryption (keys in KMS).
PCI scope reduction
Use Stripe Checkout/Elements; never handle raw PANs.
Restrict CSP
scriptSrc/frameSrc/connectSrcto Stripe domains.
QA checklist
Upload rejects >10 MB or wrong MIME with clear error.
No secrets in logs/env diffs; rotation procedure documented.
Runbook: suspected secret leak
Generate new secret; deploy;
Invalidate old;
Re-verify webhook signatures;
Review past 24β72h events;
Post-mortem.