CriticalFile-scope Plug & play

Encrypt sensitive data at rest with KMS and rotate keys

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

Add to Mesrai Open workspace

Why this matters

SOC 2 expects strong encryption at rest and periodic key rotation to reduce blast radius.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

# store raw PII
customer.ssn = "123-45-6789"

Prefer

# store ciphertext with envelope encryption
customer.ssn_ct = kms.encrypt(aes_gcm(generate_dek()), ssn)

More snippets

Good

kms.decrypt(ciphertext)

Bad

db.insert({ ssn: plain_text })

Related rules

From the same buckets as this rule.

Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1
High
Add TLS and JSON audit middleware
Serve via rustls with TLS1.2+ and add middleware to log JSON audit events with user_id and request_id; never log raw tokens.
compliance-soc2-essentialssecurity-hardening+1

Why this matters

Bad vs. good

More snippets

Related rules

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy

Add TLS and JSON audit middleware

Why this matters

Bad vs. good

More snippets

Related rules

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy

Add TLS and JSON audit middleware