HighFile-scopeJavaScript / TypeScript Plug & play

Structured audit log middleware with trace IDs

Attach a trace_id (e.g., from request header or generated UUID) and emit structured JSON logs for login, role change, and data export routes.

Why this matters

Traceable actions enable SOC 2 audits and forensic investigations.

Side-by-side examples engineers can pattern-match during review.

Avoid

console.log('user logged in')

Prefer

logger.info({ ts:new Date().toISOString(), action:'auth.login', user_id:req.user.id, trace_id:req.id })

Good

logger.info({ action:'role.change', trace_id })

Bad

console.log('role changed')

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1