v4.12.0 13 February 2026 Improvement

Security Hardening & Infrastructure

Security Test Harness

SpeyBooks now runs an automated security test harness against live production infrastructure. The harness checks 21 controls across six areas and publishes the results as a transparency report on the Insights page.

  • 21 automated controls — covering firewalls, secure configuration, patch management, access control, malware protection, and operations. Every test runs against the real system, not a staging copy.
  • Monthly transparency reports — results are published to Insights within 24 hours of each assessment. Grade, findings, and remediation plans are all public.
  • Grade C to A (100%) — the first published assessment started at Grade C with real findings. Every issue was investigated and resolved, finishing at Grade A with zero failures and zero skipped tests.

Rate Limiting Fix

A bug in the error handler meant rate limit responses were returned as generic 500 errors instead of proper 429 status codes. The rate limiter was firing internally but clients never received the rate limit signal.

  • Correct 429 responses — all rate-limited auth endpoints now return HTTP 429 with a clear message and retry timer.
  • Three protected endpoints — login, registration, and password reset are all verified by the test harness.

Auth Audit Logging

Authentication events are now logged to a dedicated audit table for security monitoring.

  • Pre-authentication logging — failed login attempts, unknown user probes, and password reset requests are captured with IP address, user agent, and timestamp.
  • Anomaly detection — the test harness checks for brute force patterns, credential spraying, and suspicious post-failure logins.

Infrastructure Hardening

  • Probe path blocking — common scanner paths now return 404 instead of being caught by the SPA fallback.
  • Node.js 22 LTS — upgraded from Node 20 (maintenance) to Node 22 (current LTS). All three applications rebuilt and verified.
  • Fail2ban whitelist — the server’s own IP is now whitelisted to prevent the security harness from triggering its own defences.
  • Security headers — all four domains now pass all six security header checks.

Bug Fixes

  • Fixed rate limit error handler returning 500 instead of 429 on all auth endpoints.
  • Fixed probe paths returning 200 via SPA fallback instead of 404.