If you discover a security vulnerability in CuraVicina, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email security concerns to: security@curavicina.it
3. Include a detailed description of the vulnerability
4. Provide steps to reproduce if possible
5. Allow up to 48 hours for an initial response

CuraVicina implements the following security measures:

• PBKDF2-SHA256 password hashing (310,000 iterations)
• Session-based authentication with HTTP-only cookies
• SPID/CIE digital identity integration

• Rate limiting on all endpoints (tiered: auth 5/min, mutations 30/min, reads 120/min)
• Input validation with schema validation on all POST/PUT handlers
• CSRF protection for state-changing requests
• Security headers (CSP, X-Frame-Options, HSTS, etc.)
• API key authentication for B2G endpoints
• IP allowlisting for integration endpoints

• GDPR consent management (Article 6, 7, 15, 17)
• Data encryption in transit (TLS)
• Audit logging for sensitive operations
• Data retention policies with automatic cleanup

• Automated vulnerability scanning in CI (npm audit)
• Dependency updates monitoring
• Preview deployments with isolated databases
• Structured logging with no PII in logs

CuraVicina processes health data (special category under GDPR Article 9). Key compliance measures:

• Explicit consent collection and management
• Right to access (Article 15) — full data export
• Right to erasure (Article 17) — cascade deletion
• Data portability (Article 20) — JSON export
• Data Protection Impact Assessment (DPIA) documented
• Data Processing Agreement (DPA) template available

Dependencies are audited in CI via npm audit. Critical vulnerabilities block deployment.

For security inquiries: security@curavicina.it