BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home/Compliance/Secure Coding Standards
ISO 27001

Secure Coding Standards

ISO 27001 Control A.8.28 — Effective: March 8, 2026

Document ID: H33-SCS-001

Classification: Internal / All Developers

Owner: Eric Beans, CEO / CISO

Approved: March 8, 2026

Next Review: September 2026 (semi-annual)

1. Purpose

This document establishes secure coding standards for all H33 software development, in accordance with ISO 27001:2022 control A.8.28 (Secure coding). These standards are designed to prevent the introduction of security vulnerabilities during development, with specific requirements tailored to H33's cryptographic Rust codebase, Node.js microservices, and frontend JavaScript.

All developers, contractors, and contributors writing code for H33 systems must adhere to these standards.

2. Scope

These standards apply to all H33 source code:

  • Rust FHE/PQ Engine: BFV/CKKS FHE, ZKP STARK lookups, Dilithium/Kyber/SPHINCS+ implementations, NTT operations, biometric authentication
  • Node.js Auth1 Microservice: Multi-tenant authentication, session management, billing, OTP delivery
  • Frontend JavaScript: h33.ai web properties, developer portal, dashboard interfaces

3. Language-Specific Standards

Rust FHE / PQ Cryptographic Engine

Memory Safety

  • No unsafe blocks without documented justification, security review, and approval by the Security Officer
  • All approved unsafe blocks must be annotated with // SAFETY: comments explaining the invariants that make the code safe
  • Key material must be zeroed on drop using the zeroize crate (implement Zeroize and ZeroizeOnDrop traits)
  • No use of std::mem::transmute for type conversions in cryptographic code; use safe alternatives

Constant-Time Operations

  • All cryptographic operations must be constant-time: no data-dependent branches, no data-dependent memory access patterns, no data-dependent loop counts
  • Use constant-time comparison functions for secret data (e.g., subtle::ConstantTimeEq)
  • Avoid early returns in functions processing secret data
  • NTT butterfly operations must use arithmetic (not conditional) reduction

FHE Parameter Validation

  • Reject parameter downgrade attacks: minimum polynomial degree N=4096, minimum ciphertext modulus Q of 56 bits
  • Validate plaintext modulus t satisfies CRT condition: t must be congruent to 1 (mod 2N)
  • Enforce domain conventions: secret keys in NTT form, ciphertexts in coefficient form (except multiply_plain_ntt() output which is NTT form)
  • Montgomery form arithmetic required for all hot-path NTT operations

Logging and Error Handling

  • No plaintext PHI, biometric templates, cryptographic key material, or secret parameters in logs, error messages, or debug output
  • Use structured error types; avoid .unwrap() in production code paths (use ? operator or explicit error handling)
  • Panic handlers must not leak sensitive state

Dependencies

  • Dependencies audited weekly via cargo audit
  • No new cryptographic dependencies without Security Officer review (H33 uses proprietary implementations)
  • All dependencies pinned to exact versions in Cargo.lock

Node.js Auth1 Microservice

Input Validation

  • All API endpoints must validate input using express-validator or equivalent middleware
  • Reject unexpected fields (allowlist approach, not denylist)
  • Validate and sanitize email addresses, phone numbers, and all user-provided strings
  • Enforce maximum request body sizes

Database Security

  • Parameterized SQL queries only — no string concatenation or template literals for query construction
  • Use query builder or ORM with parameterized queries
  • Database connection strings stored in environment variables, never in source code
  • Connection pooling with defined limits to prevent resource exhaustion

Authentication and Sessions

  • Rate limiting on all public endpoints (especially /api/auth/request, /api/auth/verify)
  • Auth cookies must use httpOnly, Secure, and SameSite=Strict flags
  • Session tokens must be cryptographically random (minimum 128 bits of entropy)
  • No sensitive data in localStorage — use httpOnly cookies exclusively for authentication state

Secret Management

  • No secrets (API keys, tokens, passwords, connection strings) committed to source code or logged
  • Environment variables for runtime configuration; AWS Secrets Manager for production credentials
  • Dependencies audited via npm audit before each release

JavaScript Frontend

XSS Prevention

  • Use textContent for DOM manipulation with user data — never innerHTML with untrusted content
  • No eval(), Function() constructors, or setTimeout/setInterval with string arguments
  • Content Security Policy (CSP) headers enforced: script-src restricted to same-origin and trusted CDNs

Data Handling

  • No sensitive data in localStorage or sessionStorage — authentication tokens stored in httpOnly cookies only
  • No PII or PHI cached on the client side beyond the current session
  • Form data cleared from memory after submission

Third-Party Scripts

  • Third-party scripts loaded with integrity attributes (Subresource Integrity / SRI) where available
  • Third-party scripts reviewed for security before inclusion
  • No inline scripts in HTML; all JavaScript in external files

4. Code Review Requirements

  • All changes require a pull/merge request with at least 1 reviewer before merging to the main branch
  • Cryptographic changes (any modification to src/fhe/, src/pqc/, src/zkp/, or src/biometric_auth/) require review and approval by the Security Officer
  • No force-push to main/master branches; branch protection rules enforced on GitLab
  • CI pipeline must pass before merge: compilation, tests, linting, and security checks
  • Commit signing recommended for all contributors; required for production releases

5. Dependency Management

Activity Frequency Tool Responsible
Rust vulnerability scanning Weekly (CI + manual) cargo audit Lead Developer
Node.js vulnerability scanning Weekly (CI + manual) npm audit Lead Developer
Dependency version review Monthly Manual review Security Officer
Critical CVE patching Within 48 hours of disclosure Manual patch + deploy Lead Developer + Security Officer
License compliance check Quarterly cargo license, manual Security Officer

Additional dependency rules:

  • All dependencies pinned to specific versions (Cargo.lock and package-lock.json committed to repository)
  • No dependencies with known CVEs permitted in production builds
  • New dependencies require justification and security review before adoption
  • Transitive dependency trees reviewed for supply chain risks

6. Secret Management

  • Production credentials: Stored in AWS Secrets Manager with IAM-based access control
  • Runtime configuration: Passed via environment variables (Elastic Beanstalk environment properties)
  • Version control: .env, .env.*, credentials.json, *.pem, and *.key files are in .gitignore; pre-commit hooks scan for accidental secret commits
  • Key rotation schedule:
    • API keys: Quarterly (90-day maximum lifetime)
    • Dilithium signing keys: Annually
    • AWS access keys: 90-day rotation
    • Database passwords: 90-day rotation via Secrets Manager
  • Emergency revocation: All keys and credentials can be revoked within 15 minutes via documented runbook

7. Testing Requirements

Test Category Scope Requirement
Unit tests All cryptographic operations (BFV, CKKS, NTT, Dilithium, Kyber) Required; must pass before merge
Integration tests Authentication flows, API endpoints, database operations Required; must pass before merge
Criterion benchmarks FHE operations, NTT transforms, batch authentication Run on PRs with performance-sensitive changes; regression > 5% blocks merge
NIST test vectors Dilithium, Kyber, SPHINCS+ implementations Required; validated against official NIST KAT vectors
Fuzzing Input parsing, parameter validation, deserialization Recommended for new parsers; cargo-fuzz available
Security scanning Full codebase cargo audit + npm audit in CI pipeline

8. OWASP Top 10 Compliance

The following table maps the OWASP Top 10 (2021) application security risks to H33's specific controls:

OWASP Risk H33 Controls
A01: Broken Access Control IAM least privilege, API key scoping, rate limiting, httpOnly auth cookies, server-side authorization checks on all endpoints
A02: Cryptographic Failures Proprietary post-quantum cryptography (FHE, Dilithium, Kyber), TLS 1.2+ enforced, encryption at rest (AES-256), key material zeroed on drop, no weak cipher suites
A03: Injection Parameterized SQL queries only, input validation on all endpoints, Rust type system prevents buffer overflows, no eval() in JavaScript
A04: Insecure Design Security review for all cryptographic changes, threat modeling for new features, FHE processing eliminates plaintext exposure by design
A05: Security Misconfiguration Drata continuous monitoring, AWS Config rules, Security Groups with least privilege, no default credentials, hardened EB configuration
A06: Vulnerable Components Weekly cargo audit and npm audit, pinned dependency versions, 48-hour critical CVE patching SLA, minimal dependency footprint
A07: Auth Failures MFA required for AWS console, rate limiting on auth endpoints, session timeout, httpOnly/Secure/SameSite cookies, OTP with anti-replay
A08: Software/Data Integrity File integrity monitoring (SHA-256), Dilithium-signed attestations, Git branch protection, CI pipeline required before deploy, signed releases
A09: Logging Failures Structured JSON logging, CloudTrail for all API calls, CloudWatch metrics and alarms, Drata evidence collection, 7-year audit trail retention
A10: SSRF No user-controlled URL fetching in production services, VPC private subnets with restricted outbound, allowlisted external endpoints only

9. Review

These Secure Coding Standards are reviewed semi-annually (every 6 months) by the CEO/CISO and Lead Developer, or more frequently following a security incident, significant codebase change, or new vulnerability disclosure.

Version Date Author Change Description
1.0 March 8, 2026 Eric Beans Initial secure coding standards

Next scheduled review: September 2026

Questions about these standards?

Contact our Security team at security@h33.ai