🛡️Security

This document focuses on FormSG-specific security considerations for government deployments. It assumes your organization already has security expertise and established procedures - we focus on how FormSG integrates with your existing security framework.

FormSG Security Architecture

FormSG implements several security patterns that enable secure government deployments:

Data Protection Layers

• Encryption in Transit: TLS for all communications

• Encryption at Rest: Database and file storage encryption

• End-to-End Encryption: Storage mode forms use client-side encryption

• Session Security: Secure session management with configurable timeouts

Access Control Model

• Role-Based Access: Admin vs form creator permissions

• Form-Level Security: Per-form access controls

• Authentication Integration: Pluggable identity provider support

• Session Management: JWT with configurable expiration

Security-Relevant Architecture Decisions

Understanding why FormSG was designed certain ways helps you maintain security:

Data Flow

Understanding how data flows through FormSG helps secure integrations:

Key Security Points

1. User authentication happens before form access

2. Form data encryption occurs client-side (storage mode)

3. Database storage uses encrypted transport and storage

4. Email notifications contain only metadata, not form content

5. Audit logging captures all user actions

Core Security Validation

Essential Security Requirements:

• Encryption keys configured - SIGNING_SECRET_KEY and VERIFICATION_SECRET_KEY set

• TLS everywhere - Database, storage, and email connections use encryption

• Data encrypted at rest - Database and storage have encryption enabled

• Secrets management - Environment variables stored securely

Component Replacement Security

Email Service Security

When replacing AWS SES with your email service:

Security Considerations

• SMTP Authentication: Use app-specific passwords, not user credentials

• TLS Encryption: Ensure SMTP connection uses TLS (port 587/465)

• Email Security: Verify your email service supports SPF/DKIM/DMARC

• Rate Limiting: Configure appropriate rate limits for OTP delivery

Email Security Validation:

• TLS encryption - SMTP connection uses port 587/465

• Service account - Use dedicated credentials, not personal accounts

• Email authentication - SPF/DKIM/DMARC configured for your domain

• Rate limiting - Appropriate sending limits configured

Example Configuration Pattern:

# Secure email service configuration
SES_HOST=smtp.yourorg.gov  # Your organization's SMTP server
SES_PORT=587              # TLS port
SES_USER=formsg-service   # Dedicated service account
SES_PASS=[secure-token]   # App-specific password or token

Database Security

When using alternative MongoDB services:

Security Requirements

• Encryption at Rest: Database must support encryption

• Network Encryption: Connection must use TLS/SSL

• Authentication: Strong credentials with least privilege

• Network Access: Restrict database access to FormSG application only

Database Security Validation:

• Encrypted connections - TLS/SSL enabled in connection string

• Least privilege access - Dedicated service account with minimal permissions

• Network isolation - Database accessible only from FormSG application

• Encryption at rest - Database encryption enabled

• Audit logging - Database access events logged

Object Storage Security

When replacing AWS S3:

Security Features Required

• Server-Side Encryption: Files encrypted at rest

• Access Controls: Bucket policies restrict access

• Presigned URLs: Temporary, time-limited file access

• CORS Configuration: Restrict cross-origin requests

Object Storage Security Validation:

• Server-side encryption - Files encrypted at rest

• HTTPS connections - API calls use encryption in transit

• Access restrictions - Only FormSG application can access buckets

• Presigned URLs - Temporary file access with time limits

• CORS configuration - Cross-origin requests restricted

• No public access - Form data buckets are private

Security Monitoring and Logging

FormSG Audit Capabilities

FormSG provides several logging capabilities for security monitoring:

Security Events Logged

• Authentication events: Login attempts, failures, session creation

• Form access: Who accessed which forms when

• Data modification: Form creation, editing, deletion

• Submission events: Form submissions with timestamps and user context

• Administrative actions: User management, settings changes

Security Monitoring Validation:

• Authentication events - Login attempts and failures logged

• Form access tracking - User access to forms monitored

• Data modifications - Form changes logged with user attribution

• Administrative actions - User management and settings changes tracked

• Submission monitoring - Form submissions logged with context

Log Configuration Pattern:

# Enable comprehensive FormSG audit logging
LOG_LEVEL=info                    # Capture security-relevant events
CUSTOM_CLOUDWATCH_LOG_GROUP=/your/log/group  # Your log destination

Security Monitoring Focus Areas:

• Failed authentication patterns - Multiple failed logins from same IP

• Unusual form access - Access to forms outside normal patterns

• Administrative changes - Form modifications, user management

• Submission patterns - Unusual volume or timing of submissions

Vulnerability Scanning Integration

• Container scanning: Scan FormSG container images in your registry

• Dependency scanning: Monitor Node.js dependencies for vulnerabilities

• Configuration scanning: Validate FormSG configuration against security policies

Compliance Support Features

FormSG provides several features that support government compliance requirements:

Data Protection

• Encryption: Client-side encryption for sensitive form data

• Access controls: Role-based access with audit trails

• Data retention: Configurable data retention policies

• Data export: Ability to export data for compliance reporting

Audit and Accountability

• Comprehensive logging: All user actions logged with timestamps

• Non-repudiation: Digital signatures for form submissions

• Access tracking: Who accessed what data when

• Change management: All form modifications tracked

Privacy Protection

• Minimal data collection: Only collect necessary form data

• Consent management: Form-level privacy notices

• Data minimization: Configurable field validation and limits

• Right to deletion: Data deletion capabilities for privacy compliance

Compliance Validation

Compliance Validation:

• Encryption verification - Storage mode forms encrypted in database

• Access control testing - Users access only authorized forms

• Data retention - Old submissions handled per retention policies

• Audit completeness - All user actions logged with timestamps

• User attribution - Actions traced to specific accounts

• Change tracking - Form modifications tracked