CriticalFile-scope

Use a secrets manager and 90-day rotation policy

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

Add to Mesrai Open workspace

Why this matters

SOC 2 requires secure secret handling and timely rotation to reduce exposure.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

DATABASE_URL=postgres://user:plainpass@db/prod

Prefer

DATABASE_URL=secrets.get("prod/db/url") # rotated by policy

More snippets

Good

secrets.get("kafka/password")

Bad

const PWD = "SuperSecret123!"

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
High
Add TLS and JSON audit middleware
Serve via rustls with TLS1.2+ and add middleware to log JSON audit events with user_id and request_id; never log raw tokens.
compliance-soc2-essentialssecurity-hardening+1

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Add TLS and JSON audit middleware

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Add TLS and JSON audit middleware