JWT auth. bcrypt passwords. Magic byte validation. Rate limiting. Soft deletes.
Security is not a feature — it's a design principle. IUSign implements defense-in-depth across every layer.
User passwords are hashed with bcrypt (cost factor 12) — rainbow tables are useless.
JWT tokens use HS256 with 24-hour expiry — stolen tokens self-destruct.
File uploads are validated via python-magic (libmagic) — checking actual file content, not extensions.
Uploaded files are saved with UUID filenames — no enumeration, no original name exposure.
Rate limiting: 50 req/day (free), 500 req/hr (solo), 2000 req/hr (growth).
CSRF protection on all state-changing endpoints.
Soft deletes: records are marked is_deleted = true rather than physically removed.
JWT: HS256, 24h expiry, issued on login/registration. Stored in localStorage.
bcrypt: bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12)). 12 rounds → ~250ms per hash.
File validation: magic.from_buffer(file_bytes[:2048], mime=True) — only PDF and DOCX allowed.
UUID filenames: uuid4().hex + '.pdf' — 32 hex characters, unguessable.
Rate limiting: Redis INCR with EXPIRE. Key format: rate_limit:{tenant_id}:{endpoint}:{minute}.
Layer 1: Email + password (bcrypt, 12 rounds). Layer 2: JWT token (HS256, 24h expiry). Layer 3: API key (SHA256 hashed, Redis cached, tenant-scoped). Layer 4: Public link token (UUID, single-use, expires on signing).
Every uploaded file goes through: (1) MIME type validation via libmagic, (2) File size limit (50 MB), (3) UUID filename assignment, (4) Storage in a non-public directory, (5) SHA-256 hash computation.
Create your free account and send your first document in under 3 minutes.
Get Started Free