Here is everything you need to know about security features and how they are used in Check.
Two factor authentication
Two-factor authentication is an extra layer of security for your Apple ID designed to ensure that you're the only person who can access your account, even if someone knows your password. To enable it in Check you'll need a two-factor app, like Google Authenticator, on your smartphone to proceed.
To enable two factor authentication in Check:
Navigate to the user menu, located at bottom left of your screen.
Select user settings.
Choose the tab 'Security'
Click 'Require two-factor authentication' and follow the instructions.
Sending login security emails when IP or device change
We want to help keep your account secure, so we email you whenever there is a new sign-in to your Check account from a new device.
If you don't recognize this sign-in, we recommend that you change your password immediately.
All data sent between your browser and the website that you are connected to is encrypted. We do not, however, currently encrypt traffic internally between services.
API tokens: Users can login with application credentials without having to share them, they are stored in tokens. These are used to inform the API that the bearer of them has been authorized to use and perform actions.
CloudFlare for DDoS prevention (through Project Galileo)
DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Just as DDoS attacks are by their very nature distributed, Cloudflare's DDoS mitigation system is distributed across our massive global network.
SSH non standard port (key required)
SSH is a protocol to login to our servers. SSH provides strong authentication and secure encrypted data communications for administrators and operating services.
We run SSH on a standard port with public-key encryption. We use Amazon GuardDuty to alert us of attacks. Note: We will be changing this in the near future. We will not be allowing direct SSH to machines.
Iptables firewall (through Ferm)
Firewalls provided by AWS Security Groups and ACLs protect the server from unwanted traffic based on given rules (policy) which allow or block connection and control traffic.
Sessions are encrypted before being stored in a cookie
Cookies are short pieces of text that are stored by a visitor's browser and used as an identifier for a session. Data stored in our product cookies are encrypted so they are safe from being read by unauthorized parties.
Expiring sessions on sign in and sign out to avoid “Session Fixation”: To avoid attacks using an existing session ID, a new session ID is assigned every time a user logs in.
A permissions system to control access to database information
Different type of users are granted different level of information access. Anonymous users (not logged in) do not have all the functions available to logged in users. For logged in users, the functionality differs depending upon their role in the system. For example, only authorized users who are granted a delete permission can execute a successful deletion operation to remove content.
Continuous security checks over source code (using Code Climate)
Code Climate performs an automated code review for ensuring code health.