Phase 13 — Security & Compliance
RBAC, audit trails, security HTTP headers, GDPR data export, and an audit log viewer — giving business owners visibility and control over their account security.
What It Does
Phase 13 adds enterprise-grade security controls. Role-based access ensures only the account owner can access billing and security settings. Every sensitive action (login, data export, settings change) is recorded in an audit log. GDPR compliance is supported via CSV data exports. Security headers protect against common web vulnerabilities.
Key Routes
| URL | Auth Required | Description |
|---|---|---|
GET /settings/security | Owner only | Security tab — audit log, status panel, purge controls |
GET /settings/security/export/customers | Owner only | GDPR: export all customers as CSV |
GET /settings/security/export/appointments | Owner only | GDPR: export all appointments as CSV |
GET /settings/security/export/calls | Owner only | GDPR: export all call logs as CSV |
POST /settings/security/purge-logs | Owner only | Purge audit logs older than selected days (90/180/365) |
Key Files
| Type | Path |
|---|---|
| Service | app/Services/AuditService.php — AuditService::log() |
| Middleware | app/Http/Middleware/OwnerOnly.php |
| Middleware | app/Http/Middleware/SecurityHeaders.php — applied globally |
| Model | app/Models/AuditLog.php |
| Table | audit_logs — tenant_id, user_id, event_type, description, ip_address, user_agent, created_at |
| View | resources/views/settings/security.blade.php |
Role-Based Access Control
| Role | Access Level | Restrictions |
|---|---|---|
| owner | Full access to all tenant features | None — can access billing, security, branding, all settings |
| admin | Most features — no billing/security | Cannot access billing, GDPR export, audit logs, or purge functions |
| staff | Operational only | Can only see appointments, customers, call logs — no settings access |
The OwnerOnly middleware checks auth()->user()->role === 'owner'. Applied to:
/billing/*— all billing routes/settings/security/*— security and GDPR/settings/branding— branding customisation
Audit Events Logged
| Event Type | When Triggered |
|---|---|
login | Successful login |
logout | User logs out |
settings_changed | Any settings form saved |
password_changed | Password update |
data_exported | Any GDPR CSV export triggered |
logs_purged | Audit log purge executed |
api_key_created | New API key generated |
api_key_revoked | API key revoked or deleted |
Security HTTP Headers
The SecurityHeaders middleware is applied globally and adds these headers to every response:
| Header | Value | Purpose |
|---|---|---|
| X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
| X-Frame-Options | SAMEORIGIN | Prevents clickjacking |
| X-XSS-Protection | 1; mode=block | Browser XSS filter |
| Referrer-Policy | strict-origin-when-cross-origin | Controls referrer header |
| Permissions-Policy | Restricts camera, microphone, geolocation | Limits browser API access |
| Strict-Transport-Security | max-age=31536000 (HTTPS only) | Forces HTTPS connections |
Security Status Panel
The Settings → Security tab shows a status panel with:
- Password age indicator (days since last password change)
- Last login time and IP address
- Security headers status (✅ active)
- Audit logging status (✅ active)
- Data export checklist
What's Complete
- OwnerOnly middleware protecting billing and security routes
- isOwner() / isAdmin() helpers on User model
- Audit log table with AuditService::log() called on all key events
- Security HTTP headers middleware applied globally
- GDPR CSV exports for Customers, Appointments, Call Logs
- Audit log viewer (last 50 events, colour-coded by type, with IP + timestamps)
- Audit log purge (owner-only, 90/180/365 day options)
- Security status panel
What's Deferred
- Two-factor authentication (2FA)
- Call recording consent banners (needs Twilio/Vobiz IVR changes)
- Granular per-user permissions (beyond owner/staff split)
- Data encryption at rest (server/DB config — infrastructure level)
- Backup systems + disaster recovery
- Fraud/spam call detection
- Anomaly/abuse alerts