Security — LM Presenze

Last updated: April 2026

Authentication

• Passwords hashed with Bcrypt (12 rounds)
• API tokens via Laravel Sanctum (revocable)
• Configurable session expiry

Data protection

• Row-level multi-tenancy: each company sees only its own data
• HTTPS required in production
• CSRF protection on all forms
• Rate limiting on API and login

Webhooks

• Authentication via webhook_secret
• HMAC validation (X-Webhook-Signature) for integrity
• Rate limiting: 60 req/min per integration

Audit trail

• Immutable log of all operations (who, what, when, IP)
• Accessible only to admins and supervisors
• Retention per Italian labour regulations

Backup

• Database: automatic daily backup
• Retention: 30 days of backup history

Vulnerability reporting

To report a security vulnerability: info@lorenzomalferrari.com