HighFile-scope Plug & play

Require step-up MFA for privileged operations

Actions like role changes, key rotations, and exports of PII require MFA re-authentication within the last 5 minutes; record mfa_verified_at in the audit log.

Add to Mesrai Open workspace

Why this matters

Step-up auth reduces risk of session hijack and meets SOC 2 access control expectations.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

if (user.role=="admin") perform_export();

Prefer

if (mfa.isFresh(user, 300)) perform_export(); else prompt_mfa();

More snippets

Good

requireFreshMFA(300)

Bad

if (isAdmin) allow()

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy