> ## Documentation Index > Fetch the complete documentation index at: https://docs.pyqdeck.in/llms.txt > Use this file to discover all available pages before exploring further. # Security > Security measures and best practices in the PyqDeck ecosystem ## Infrastructure Security ### HTTP Headers (Helmet) The backend uses the **Helmet** middleware to set various HTTP headers that protect the app from common attacks like Cross-Site Scripting (XSS), Clickjacking, and MIME-type sniffing. ### Cross-Origin Resource Sharing (CORS) CORS is strictly configured to only allow requests from authorized frontend domains (e.g., `pyqdeck.in` and its subdomains). ### Rate Limiting To prevent Brute Force and Denial of Service (DoS) attacks, we implement rate limiting at two levels: 1. **Global Rate Limit**: Applied to all standard API endpoints. 2. **Specific Rate Limit**: Stricter limits on sensitive endpoints like login (Clerk) and webhooks. ## Data Security ### Authentication Handled by **Clerk**, ensuring industry-standard session management, password hashing, and Multi-Factor Authentication (MFA) capabilities. ### Authorization (RBAC) Strict Role-Based Access Control ensures that only users with `admin` or `editor` roles can access sensitive management endpoints. ### Input Sanitization * **NoSQL Injection**: We use the `escapeRegExp` utility for MongoDB `$regex` queries to prevent regex-based NoSQL injection. * **Validation**: Zod schemas enforce strict data types and lengths for all incoming data. ## Code & Dependency Security * **CodeQL**: Automated static analysis on every PR to find potential security vulnerabilities in our custom logic. * **pnpm audit**: Regular scanning of the dependency tree for known vulnerabilities. * **Dependabot**: Keeps our packages up-to-date automatically. ## Content Freeze Mechanism PyqDeck includes a "Content Freeze" mechanism managed via the `PlatformConfig` model and `checkContentFreeze` middleware. * **Purpose**: When enabled (e.g., during major migrations or maintenance), all "write" operations (POST, PATCH, DELETE) are blocked for non-admin users. * **Scope**: Applied to resources like Universities, Subjects, and Papers. * **Override**: Admins can still make changes even during a freeze.