Security - GovReady/GovReady-CMS-API GitHub Wiki

Overview

This is a working document that contains an overview of the data collected by the GovReady WordPress plugin and Drupal module, and the security protocols in place to keep this data secure.

What information is being collected

After initializing your site, The GovReady WordPress plugin or Drupal module will contact the GovReady API a begin sending it information. This information includes:

  • Plugins and plugin versions installed on the website
  • Information about the server software and versions
  • List of usernames and associated emails (no passwords)

After the plugin is installed, the GovReady API will occasionally ping your website to request updated information. After it is pinged, the GovReady WordPress plugin or Drupal module will send the information directly to the GovReady API. Information is not available from your website via an API, it can only be posted directly to the GovReady API server. (See attached server architecture diagram below).

Personally identifiable information collected includes:

  • Account usernames
  • Account email addresses Account passwords are never sent to the GovReady API server.

Other sensitive information collected includes:

  • Plugins and plugin versions installed on the website
  • Information about the server software and versions

How is this information kept secure

GovReady WordPress plugin and Drupal module ("agent") have data architecture whereby data is only posted from the agent to the GovReady API. The API can never request data directly, although it polls the agents regularly to request that the POST the latest plugin and account information to the API. See the system architecture diagram below. All requests must be signed with a token that expires after 60 minutes.

Overview of security safeguards:

  • All data is sent to the GovReady API via HTTPS
  • All data stored on the GovReady server is encrypted (salted and hashed)
  • All requests must be signed with a token that expires after 60 minutes. The Auth0 API is used for all user accounts and keys.

Overview of system architecture: GovReady API system architecture