Security Overview

ClinicReception AI is built as a lightweight web SaaS with account login, role-based access, session cookies, security headers, request body limits, public endpoint rate limits, and separate clinic workspaces.

Current Controls

• Password hashing with scrypt.
• HttpOnly session cookies.
• Operator-only admin API.
• Clinic data scoped by workspace.
• Security headers and static asset compression.
• Public POST rate limits.
• Public form honeypot fields for simple bot filtering.
• Backend input length limits for lead and audit intake.
• Escaped dashboard/admin rendering for user-submitted text.
• Mock SMS mode until Twilio credentials are configured.

Production Checklist

• Use HTTPS and secure cookies.
• Use Postgres instead of local JSON.
• Use a real email provider for password reset delivery.
• Verify Twilio webhook signatures.
• Sign required vendor contracts before handling regulated data.
• Limit staff roles and remove demo accounts.