SOC 2 Essentials rules

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

Serve via rustls with TLS1.2+ and add middleware to log JSON audit events with user_id and request_id; never log raw tokens.

Protect /exports/ with role checks, fresh MFA, and rate limits; add requester and approved_by to the audit event.

Create daily encrypted backups (KMS keys) with retention and geo-redundancy; run quarterly restore tests and record results in the audit log.

Add a CI step that fails builds if secret patterns (JWT, AWS keys) or high-entropy strings are detected in diffs.

Tag records by data_class (PII, telemetry, auth) and enforce retention (e.g., PII ≤ 365 days unless legal hold). Provide scheduled deletion jobs and audit log entries.

All bulk exports of PII require approval, step-up MFA, rate limits, and watermarking of files with requestor and timestamp; record export_id in the audit log.

Require TOTP or WebAuthn MFA for admin areas; verify mfa_verified_at timestamp before sensitive routes.

Every security-relevant action must append to an immutable, append-only audit log with fields: timestamp (UTC ISO8601), actor.user_id, actor.role, action, resource.id, result, trace_id, ip, user_agent. Logs must be signed or stored in WORM/immutable storage and forwarded to a SIEM.

Use AES-GCM with keys from KMS to encrypt sensitive columns (e.g., SSN) before saving; store nonce and auth tag; never rely solely on disk encryption.

Use a KMS client to derive DEKs and encrypt sensitive blobs; rotate CMKs annually and re-encrypt on rotation.

Use helmet to set HSTS and configure cookies with Secure, HttpOnly, and SameSite. Reject HTTP by redirecting to HTTPS.

Install HSTS in Ktor, require HTTPS redirects, and emit structured audit events for role changes with callId/traceId.

Force HTTPS via middleware, set HSTS, and configure session cookies with secure=true, http_only=true, same_site=lax or strict in config/session.php.

Use Spring Security to require HTTPS, enable HSTS, set session fixation protection, and configure SameSite, Secure, HttpOnly cookies.

Grant production access just-in-time via approved requests with scoped durations; break-glass access must trigger alerts and expanded audit logging.

Enable config.force_ssl = true; add filter_parameters to redact PII and secrets; use secure_same_site for cookies.

Produce an SBOM (e.g., SPDX/CycloneDX) during CI and block releases if SCA finds CVEs ≥ High severity or disallowed licenses.

Set session idle timeout ≤ 15 minutes and absolute timeout ≤ 12 hours; cookies must be Secure, HttpOnly, and SameSite=Lax or Strict; revoke sessions on password change.

Authorize every request by role and resource scope. Policies must default-deny and require explicit allow; privileged roles (admin, auditor) must be rare and reviewed quarterly.

Before emitting logs, detect and redact PII and secret patterns (emails, tokens, keys). Replace values with consistent hashes or tokens; never log full credentials.

Configure Spring Boot to require client certificates for internal APIs (clientAuth=REQUIRE) and restrict CAs; log peer certificate subject in audit events.