Security & Exam Integrity

Overview

The Exam Portal implements enterprise-grade security measures to protect exam integrity, prevent cheating, and ensure data confidentiality.

Authentication Security

Firebase Authentication

Industry-standard JWT tokens
Automatic token refresh (1-hour expiry)
Secure credential storage
Multi-factor authentication support

Session Management

Stateless token-based auth
HTTPS/TLS encryption
Secure cookie handling
Session timeout enforcement

Authorization & Access Control

Role-Based Access Control (RBAC)

Four distinct roles with granular permissions:

Super Admin: Full system access
Client Admin: Organization-level control
Student: Limited to own exams/results
Guest: Anonymous access only

Multi-Tenant Isolation

Every record includes client_id for complete data isolation:

-- Only users from same organization can access
SELECT * FROM tests 
WHERE id = $testId 
AND client_id = $userClientId

BOLA/IDOR Prevention

Broken Object Level Authorization (BOLA)

Prevented through:

Automatic organization boundary checks
User permission validation on every request
Audit logging of access attempts

Example Protection:

// ✅ Correct: Verify organization access
const attempt = await db
  .select('*')
  .from('attempts')
  .where('id', attemptId)
  .innerJoin('tests', 'attempts.test_id', 'tests.id')
  .where('tests.client_id', userOrganizationId);

// ❌ Wrong: Direct access
const attempt = await db.select('*').from('attempts').where('id', attemptId);

Insecure Direct Object References (IDOR)

Protected by:

IDs are UUIDs (not sequential)
Permission checks on each endpoint
Rate limiting per user
Audit logging

Exam Integrity

Proctoring Features

Continuous Monitoring
- Camera-based detection
- Screen recording capability
- Tab switching alerts
Event Tracking
- Unauthorized tab switches
- Copy-paste attempts
- Keyboard blur events
- Mouse movements
Evidence Storage
- Proctoring images in Firebase Storage
- Signed URLs for secure access
- 30-day retention policy

Question Security

Question shuffling to prevent memorization
Answer option randomization
Answer encryption during storage
Prevent question exporting

Answer Verification

Server-side answer validation
Automatic grading for objective questions
Tamper-proof attempt recording
Double-check mechanism for sensitive exams

Data Protection

Encryption

In Transit: HTTPS/TLS 1.3
At Rest: Database encryption at Turso layer
Sensitive Data: Base64 encoding for configuration

Data Access

Minimal data exposure in APIs
PII never logged in plain text
Password hashing with bcrypt (Firebase managed)
Secure token storage

Backup & Recovery

Daily automated backups
Encrypted backup storage
Point-in-time recovery (30 days)
Tested recovery procedures

Audit Logging

Comprehensive Logging

All important actions logged:

{
  "event_type": "exam_submitted",
  "user_id": "student-uuid",
  "attempt_id": "attempt-uuid",
  "resource_id": "test-uuid",
  "score": 85,
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0...",
  "timestamp": "2024-01-15T11:30:00Z"
}

Audit Log Access

Super Admins: View all logs
Client Admins: Organization-specific logs
Students: Cannot access logs
Logs encrypted and tamper-proof

API Security

Rate Limiting

Standard: 100 requests/minute per IP
Strict: 10 requests/minute for sensitive operations
Headers: X-RateLimit-* for client awareness

Input Validation

All inputs validated before processing
SQL injection prevention (parameterized queries)
XSS prevention (input sanitization)
CSRF token validation

CORS & HTTPS

Strict CORS policy
Same-origin requests prioritized
HTTPS enforcement (no HTTP)
Security headers configured

Compliance & Standards

Standards Compliance

OWASP Top 10: All items addressed
GDPR: Data privacy enforced
HIPAA: Healthcare data compliant (if applicable)
SOC 2: Audit-ready infrastructure

Security Headers

Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'

Incident Response

Security Incident Procedures

Detection: Automated alerts and monitoring
Assessment: Severity evaluation
Containment: Isolate affected systems
Notification: Alert relevant parties
Recovery: Restore from backups
Post-Incident: Analysis and improvements

Reporting Security Issues

Report security vulnerabilities to: security@nssoftwaresolutions.in

Best Practices for Users

For Students

Don't share exam links
Don't take exams from public networks
Close browser after exam
Enable camera for proctored exams

For Administrators

Enable two-factor authentication
Regularly review audit logs
Update passwords regularly
Monitor for suspicious activity
Keep systems updated

Overview​

Authentication Security​

Firebase Authentication​

Session Management​

Authorization & Access Control​

Role-Based Access Control (RBAC)​

Multi-Tenant Isolation​

BOLA/IDOR Prevention​

Broken Object Level Authorization (BOLA)​

Insecure Direct Object References (IDOR)​

Exam Integrity​

Proctoring Features​

Question Security​

Answer Verification​

Data Protection​

Encryption​

Data Access​

Backup & Recovery​

Audit Logging​

Comprehensive Logging​

Audit Log Access​

API Security​

Rate Limiting​

Input Validation​

CORS & HTTPS​

Compliance & Standards​

Standards Compliance​

Security Headers​

Incident Response​

Security Incident Procedures​

Reporting Security Issues​

Best Practices for Users​

For Students​

For Administrators​

Next Steps​