🔐
VIVAS
Admin Security Audit
Admin Dashboard
Protected Security Module

Admin Security Audit

Review the security status of admin access, JWT verification, backup posture, password rotation, and environment hardening. Browser actions remain safe and non-destructive.

User Management Back to Dashboard
Checking admin permission...
Admin Token
Browser session
Admin API
Permission guard
API Health
Backend health
Write Actions
Locked
Server-only security changes
Security Checklist

Production Security Checklist

Admin token verification Checking /api/admin-review/me...
API health Checking /api/health...
Password rotation Rotate admin passwords from server terminal only. Do not expose new passwords in browser.
.env/JWT audit Confirm JWT_SECRET exists, .env is chmod 600, and secrets are not printed publicly.
Backup verification Confirm DB, API, frontend, NGINX, PM2, and config backups exist before destructive changes.
Legacy scripts Admin pages should not load old dashboard scripts.
Server Commands

Safe Server Audit Commands

Run these from the server terminal. They mask secrets and avoid printing sensitive values.

cd /var/www/vivas-api echo "=== .env permissions ===" ls -lh .env echo "" echo "=== masked env check ===" grep -nE 'NODE_ENV|PORT|DB_|DATABASE_URL|JWT|SECRET|CORS|RATE|UPLOAD|PUBLIC|API' .env \ | sed -E 's/(=).+/\1***MASKED***/' echo "" echo "=== API health ===" curl -s https://vivas.vote/api/health | jq echo "" echo "=== Admin route without token should be locked ===" curl -s https://vivas.vote/api/admin-review/me | jq
Legacy Script Audit

Frontend Security Check

Use this to confirm cleaned admin pages are not loading old scripts.

grep -nE "script src=.*(legacy-admin|old-control-room)" \ /var/www/vivas.vote/html/admin-dashboard.html \ /var/www/vivas.vote/html/admin-review.html \ /var/www/vivas.vote/html/admin-users.html \ /var/www/vivas.vote/html/admin-security.html \ /var/www/vivas.vote/html/fraud-monitoring.html