Protected Security Module
Admin Security Audit
Review the security status of admin access, JWT verification, backup posture, password rotation, and environment hardening. Browser actions remain safe and non-destructive.
Checking admin permission...
Admin Token
—
Browser session
Admin API
—
Permission guard
API Health
—
Backend health
Write Actions
Locked
Server-only security changes
Production Security Checklist
Safe Server Audit Commands
Run these from the server terminal. They mask secrets and avoid printing sensitive values.
cd /var/www/vivas-api
echo "=== .env permissions ==="
ls -lh .env
echo ""
echo "=== masked env check ==="
grep -nE 'NODE_ENV|PORT|DB_|DATABASE_URL|JWT|SECRET|CORS|RATE|UPLOAD|PUBLIC|API' .env \
| sed -E 's/(=).+/\1***MASKED***/'
echo ""
echo "=== API health ==="
curl -s https://vivas.vote/api/health | jq
echo ""
echo "=== Admin route without token should be locked ==="
curl -s https://vivas.vote/api/admin-review/me | jq
Frontend Security Check
Use this to confirm cleaned admin pages are not loading old scripts.
grep -nE "script src=.*(legacy-admin|old-control-room)" \
/var/www/vivas.vote/html/admin-dashboard.html \
/var/www/vivas.vote/html/admin-review.html \
/var/www/vivas.vote/html/admin-users.html \
/var/www/vivas.vote/html/admin-security.html \
/var/www/vivas.vote/html/fraud-monitoring.html