Shared Security Responsibility

Mindful Auth secures the authentication layer (login, registration, password reset, 2FA, etc.) but does not store any member data. Your backend is responsible for securing member data.

What Mindful Auth Protects

✅ Authentication endpoints - Login, registration, password reset, magic links
✅ Password security - Hashing, validation, reset token generation
✅ Magic link security - Token generation, verification, expiration
✅ 2FA implementation - TOTP setup, validation, recovery codes
✅ Session tokens - Authentication state, token expiration, refresh logic
✅ Rate limiting - Velocity tracking, IP-based limits, harassment prevention
✅ Account lockout - Progressive lockout, geo-anomaly detection
✅ Turnstile bot protection - Integration with Cloudflare’s CAPTCHA service
✅ Audit logging - Authentication event tracking (Business plan)

What YOUR Backend Protects

Your backend system is responsible for protecting member data and business logic:

🔒 Member profile data - Names, emails, custom profile fields
🔒 Member activity - History, logs, behavioral data
🔒 Business data - Proprietary information, transactions, analytics
🔒 API authorization - Role-based access control, permission validation
🔒 Data encryption - Encryption at rest for sensitive fields
🔒 Database security - Access controls, backups, disaster recovery
🔒 API security - Rate limiting on your endpoints, input validation, CSRF protection
🔒 Compliance - Data retention policies, deletion requests, audit trails

Your Responsibilities

You are responsible for:

Choosing a secure backend
- Cloudflare D1, Tape, or self-managed database
- Evaluate security practices of your chosen provider
- Review encryption, access controls, backup procedures
Implementing proper access controls
- Verify user’s memberid matches requested resource
- Implement role-based access control (RBAC) if needed
- Never trust frontend data for authorization decisions
Encrypting sensitive data
- Encrypt personally identifiable information (PII)
- Use encryption keys separate from your database
- Consider field-level encryption for highly sensitive data
Securing your APIs
- Authenticate API requests (validate Mindful Auth session tokens)
- Implement rate limiting on your endpoints
- Validate and sanitize all inputs
- Use HTTPS for all API communication
Monitoring and logging
- Log access to sensitive data
- Monitor for unusual activity patterns
- Create alerts for suspicious behavior
- Retain logs for compliance periods
Regular security audits
- Review access control implementation
- Test for common vulnerabilities (SQL injection, XSS, etc.)
- Conduct penetration testing
- Keep dependencies and frameworks updated
Compliance and regulations
- Implement data retention policies
- Support user deletion requests (right to be forgotten)
- Document data handling practices
- Comply with GDPR, CCPA, and other regulations
Incident response
- Prepare for potential data breaches
- Have a plan to notify affected users
- Document and analyze security incidents
- Implement fixes to prevent recurrence

Security Architecture Diagram

┌──────────────────────────────────────────────────────────┐
│  Your Application                                        │
└────────────────────┬─────────────────────────────────────┘
                     │
      ┌──────────────┼──────────────┐
      │              │              │
      ▼              ▼              ▼
┌──────────┐  ┌──────────┐  ┌──────────────┐
│ Frontend │  │ Backend  │  │ Database     │
│          │  │ Server   │  │ (Your Choice)│
│ (Your)   │  │ (Your)   │  │ D1/Tape/Own  │
└────┬─────┘  └────┬─────┘  └──────┬───────┘
     │             │               │
     └─────────────┼───────────────┘
                   │
        ┌──────────▼──────────┐
        │ Mindful Auth API    │
        │                     │
        │ • /auth/login       │
        │ • /auth/register    │
        │ • /auth/2fa/*       │
        │ • /auth/password/*  │
        │                     │
        │ MINDFUL AUTH        │
        │ RESPONSIBILITY      │
        └─────────────────────┘

Flow:

Frontend sends credentials to your backend
Your backend calls Mindful Auth API for validation
Mindful Auth validates authentication (Turnstile, rate limits, 2FA)
Backend receives success/failure response
Backend stores member data in your database
Mindful Auth never sees or stores member data

What Happens If…

If Your Backend is Compromised

❌ Mindful Auth cannot prevent this - We’re separate systems
❌ Member data exposed - Your database is the source of truth
✅ Authentication still secure - Even if attacker has passwords, they need 2FA, Turnstile, rate limits
✅ Audit trail visible - Business plan shows suspicious login attempts

Mitigation: Implement strong database access controls, encryption at rest, and regular backups.

If Mindful Auth is Compromised

✅ Member data safe - We don’t store any
❌ Authentication tokens might be invalidated - You may need to re-authenticate users
✅ Passwords safe - We use hashing, attackers get encrypted hashes
✅ 2FA still works - If stored separately (which we recommend)

Mitigation: Store encryption keys separately from data, use per-tenant key derivation.

If Network Traffic is Intercepted

✅ Protected - All Mindful Auth communication uses HTTPS
✅ Session tokens safe - HTTPOnly cookies, short expiration
❌ Vulnerable if - Your backend uses HTTP instead of HTTPS

Mitigation: Always use HTTPS for your APIs, enable HSTS headers.

Shared Responsibility Model

Component	Mindful Auth	Your Backend	Shared
Authentication logic	🟢 Ours
Password hashing	🟢 Ours
2FA implementation	🟢 Ours
Member data storage		🟢 Yours
Member data encryption		🟢 Yours
API authorization		🟢 Yours
Session validation	🟢 Ours	🟢 Yours	🟡 Both
Rate limiting	🟢 Ours (auth)	🟢 Yours (APIs)	🟡 Both
Audit logging	🟢 Ours (auth events)	🟢 Yours (data access)	🟡 Both
Incident response	🟢 Ours (auth system)	🟢 Yours (data system)	🟡 Both
HTTPS/TLS	🟢 Ours	🟢 Yours	🟡 Both