Security

Trajectory implements multiple security measures to protect your family's health data. This section is split into focused topics to make it easier to find the right guidance.

What Trajectory Does NOT Do

For transparency, Trajectory does not currently provide:

❌ Encryption at rest (depends on your infrastructure)
❌ Two-factor authentication (planned)
❌ Audit logging (planned)
❌ Automated security scanning
❌ Built-in WAF (Web Application Firewall)
❌ Rate limiting on all endpoints (only auth endpoints)

Consider implementing these at the infrastructure level if needed for your security requirements.

Reporting Vulnerabilities

If you discover a security vulnerability:

Do NOT open a public issue
Contact maintainers privately (see SECURITY.md)
Provide details:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

Security Checklist

Use this checklist for production deployments:

Strong, unique JWT_SECRET and JWT_REFRESH_SECRET
Strong DB_PASSWORD
NODE_ENV=production set
HTTPS enabled via reverse proxy
HSTS header configured
Security headers configured (X-Frame-Options, etc.)
Firewall configured to only expose necessary ports
Database not exposed externally
Regular automated backups configured
Backup restoration tested
Monitoring and logging in place
Server and Docker kept up to date
Access restricted to authorized users only

Edit this page

What Trajectory Does NOT Do
Reporting Vulnerabilities
Security Checklist

Docs

Getting Started
Operations

More

Blog
GitHub

What Trajectory Does NOT Do​

Reporting Vulnerabilities​

Security Checklist​

What Trajectory Does NOT Do

Reporting Vulnerabilities

Security Checklist