# Security

This document focuses on **FormSG-specific security considerations** for government deployments. It assumes your organization already has security expertise and established procedures - we focus on how FormSG integrates with your existing security framework.

### FormSG Security Architecture

FormSG implements several security patterns that enable secure government deployments:

{% @mermaid/diagram content="graph TB
subgraph "🌐 External Security"
WAF\[Web Application Firewall]
LB\[Load Balancer + TLS]
end

```
subgraph "⚙️ FormSG Application"
    Frontend[React Frontend]
    API[Express API + Auth]
end

subgraph "💾 Data Layer"
    Database[(Encrypted Database)]
    Storage[(Encrypted Storage)]
end

subgraph "🔌 External Services"
    Identity[Government Identity]
    Email[Email Service]
end

subgraph "📊 Security Monitoring"
    Logs[Audit Logs]
    SIEM[SIEM Integration]
end

%% Main Flow
Internet[👥 Users] --> WAF
WAF --> LB
LB --> Frontend
Frontend --> API

%% Data Connections
API --> Database
API --> Storage

%% External Connections
API --> Identity
API --> Email

%% Monitoring
API --> Logs
Logs --> SIEM

%% Styling
classDef external fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
classDef application fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
classDef data fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
classDef integration fill:#fff3e0,stroke:#f57c00,stroke-width:2px
classDef monitoring fill:#fce4ec,stroke:#c2185b,stroke-width:2px

class WAF,LB external
class Frontend,API application
class Database,Storage data
class Identity,Email integration
class Logs,SIEM monitoring" %}
```

**Data Protection Layers**

* **Encryption in Transit**: TLS for all communications
* **Encryption at Rest**: Database and file storage encryption
* **End-to-End Encryption**: Storage mode forms use client-side encryption
* **Session Security**: Secure session management with configurable timeouts

**Access Control Model**

* **Role-Based Access**: Admin vs form creator permissions
* **Form-Level Security**: Per-form access controls
* **Authentication Integration**: Pluggable identity provider support
* **Session Management**: JWT with configurable expiration

**Security-Relevant Architecture Decisions**

Understanding why FormSG was designed certain ways helps you maintain security:

| Design Decision              | Security Benefit            | Customization Impact               |
| ---------------------------- | --------------------------- | ---------------------------------- |
| **3-Tier Architecture**      | Clear security boundaries   | Maintain network segmentation      |
| **Stateless API Design**     | Easier to scale securely    | Session store becomes critical     |
| **Component Modularity**     | Replace insecure components | Validate replacement security      |
| **Environment-Based Config** | No secrets in code          | Secure secrets management required |

### Data Flow

Understanding how data flows through FormSG helps secure integrations:

{% @mermaid/diagram content="sequenceDiagram
participant User
participant FormSG
participant Identity
participant Database
participant Email

```
User->>FormSG: Access Form
FormSG->>Identity: Authenticate User
Identity-->>FormSG: User Claims + Token
User->>FormSG: Submit Form Data
FormSG->>FormSG: Encrypt Submission (Storage Mode)
FormSG->>Database: Store Encrypted Data
FormSG->>Email: Send Notification

Note over FormSG,Database: All data encrypted in transit and at rest
Note over FormSG,Email: Only metadata sent, not form content" %}
```

**Key Security Points**

1. **User authentication** happens before form access
2. **Form data encryption** occurs client-side (storage mode)
3. **Database storage** uses encrypted transport and storage
4. **Email notifications** contain only metadata, not form content
5. **Audit logging** captures all user actions

#### Core Security Validation

**Essential Security Requirements:**

* [ ] **Encryption keys configured** - `SIGNING_SECRET_KEY` and `VERIFICATION_SECRET_KEY` set
* [ ] **TLS everywhere** - Database, storage, and email connections use encryption
* [ ] **Data encrypted at rest** - Database and storage have encryption enabled
* [ ] **Secrets management** - Environment variables stored securely

#### Component Replacement Security

**Email Service Security**

When replacing AWS SES with your email service:

**Security Considerations**

* **SMTP Authentication**: Use app-specific passwords, not user credentials
* **TLS Encryption**: Ensure SMTP connection uses TLS (port 587/465)
* **Email Security**: Verify your email service supports SPF/DKIM/DMARC
* **Rate Limiting**: Configure appropriate rate limits for OTP delivery

**Email Security Validation:**

* [ ] **TLS encryption** - SMTP connection uses port 587/465
* [ ] **Service account** - Use dedicated credentials, not personal accounts
* [ ] **Email authentication** - SPF/DKIM/DMARC configured for your domain
* [ ] **Rate limiting** - Appropriate sending limits configured

**Example Configuration Pattern:**

```bash
# Secure email service configuration
SES_HOST=smtp.yourorg.gov  # Your organization's SMTP server
SES_PORT=587              # TLS port
SES_USER=formsg-service   # Dedicated service account
SES_PASS=[secure-token]   # App-specific password or token
```

**Database Security**

When using alternative MongoDB services:

**Security Requirements**

* **Encryption at Rest**: Database must support encryption
* **Network Encryption**: Connection must use TLS/SSL
* **Authentication**: Strong credentials with least privilege
* **Network Access**: Restrict database access to FormSG application only

**Database Security Validation:**

* [ ] **Encrypted connections** - TLS/SSL enabled in connection string
* [ ] **Least privilege access** - Dedicated service account with minimal permissions
* [ ] **Network isolation** - Database accessible only from FormSG application
* [ ] **Encryption at rest** - Database encryption enabled
* [ ] **Audit logging** - Database access events logged

**Object Storage Security**

When replacing AWS S3:

**Security Features Required**

* **Server-Side Encryption**: Files encrypted at rest
* **Access Controls**: Bucket policies restrict access
* **Presigned URLs**: Temporary, time-limited file access
* **CORS Configuration**: Restrict cross-origin requests

**Object Storage Security Validation:**

* [ ] **Server-side encryption** - Files encrypted at rest
* [ ] **HTTPS connections** - API calls use encryption in transit
* [ ] **Access restrictions** - Only FormSG application can access buckets
* [ ] **Presigned URLs** - Temporary file access with time limits
* [ ] **CORS configuration** - Cross-origin requests restricted
* [ ] **No public access** - Form data buckets are private

#### Security Monitoring and Logging

**FormSG Audit Capabilities**

FormSG provides several logging capabilities for security monitoring:

**Security Events Logged**

* **Authentication events**: Login attempts, failures, session creation
* **Form access**: Who accessed which forms when
* **Data modification**: Form creation, editing, deletion
* **Submission events**: Form submissions with timestamps and user context
* **Administrative actions**: User management, settings changes

**Security Monitoring Validation:**

* [ ] **Authentication events** - Login attempts and failures logged
* [ ] **Form access tracking** - User access to forms monitored
* [ ] **Data modifications** - Form changes logged with user attribution
* [ ] **Administrative actions** - User management and settings changes tracked
* [ ] **Submission monitoring** - Form submissions logged with context

**Log Configuration Pattern:**

```bash
# Enable comprehensive FormSG audit logging
LOG_LEVEL=info                    # Capture security-relevant events
CUSTOM_CLOUDWATCH_LOG_GROUP=/your/log/group  # Your log destination
```

**Security Monitoring Focus Areas:**

* [ ] **Failed authentication patterns** - Multiple failed logins from same IP
* [ ] **Unusual form access** - Access to forms outside normal patterns
* [ ] **Administrative changes** - Form modifications, user management
* [ ] **Submission patterns** - Unusual volume or timing of submissions

**Vulnerability Scanning Integration**

* **Container scanning**: Scan FormSG container images in your registry
* **Dependency scanning**: Monitor Node.js dependencies for vulnerabilities
* **Configuration scanning**: Validate FormSG configuration against security policies

#### Compliance Support Features

FormSG provides several features that support government compliance requirements:

**Data Protection**

* **Encryption**: Client-side encryption for sensitive form data
* **Access controls**: Role-based access with audit trails
* **Data retention**: Configurable data retention policies
* **Data export**: Ability to export data for compliance reporting

**Audit and Accountability**

* **Comprehensive logging**: All user actions logged with timestamps
* **Non-repudiation**: Digital signatures for form submissions
* **Access tracking**: Who accessed what data when
* **Change management**: All form modifications tracked

**Privacy Protection**

* **Minimal data collection**: Only collect necessary form data
* **Consent management**: Form-level privacy notices
* **Data minimization**: Configurable field validation and limits
* **Right to deletion**: Data deletion capabilities for privacy compliance

**Compliance Validation**

**Compliance Validation:**

* [ ] **Encryption verification** - Storage mode forms encrypted in database
* [ ] **Access control testing** - Users access only authorized forms
* [ ] **Data retention** - Old submissions handled per retention policies
* [ ] **Audit completeness** - All user actions logged with timestamps
* [ ] **User attribution** - Actions traced to specific accounts
* [ ] **Change tracking** - Form modifications tracked

***

{% hint style="info" %}
**🔒 Security Principle**: FormSG provides security capabilities - your implementation and operational procedures determine the actual security of your deployment.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://international.open.gov.sg/self-hosting/formsg/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.