Security Monitoring
MealPal includes a security monitoring system that detects suspicious activity, tracks threats, and provides forensic logging.
Architecture
Section titled “Architecture”Every request passes through SecurityLoggerMiddleware which:
- Extracts client IP (
X-Forwarded-Foraware) - Captures request details (method, path, query, headers)
- Analyzes for suspicious patterns
- Logs to
/app/logs/security.log
Threat Detection
Section titled “Threat Detection”| Flag | Severity | Description |
|---|---|---|
[OK] | None | Normal request |
[SUS_PATH] | Medium | Known attack path (wp-admin, phpmyadmin, .env) |
[SUS_KEYWORD] | High | SQL injection or XSS attempt |
[PATH_TRAVERSAL] | High | Directory traversal attempt |
[SCANNER] | Medium | Known security scanner User-Agent |
[CISCO_PROBE] | Medium | Cisco VPN exploit attempt |
Security Dashboard
Section titled “Security Dashboard”Admin-only UI at /admin/security with:
- Threat level indicator (Clear/Low/Medium/High)
- Suspicious IP list
- Top IPs by volume
- Searchable request log viewer
- Auto-refresh every 30 seconds
Log Persistence
Section titled “Log Persistence”- Docker volume — survives container restarts
- S3 backup — automatic hourly backups with manual trigger via API/Dashboard
- Path:
s3://bucket/security-logs/YYYY/MM/DD/security-HHMMSS.log
Key Files
Section titled “Key Files”| File | Purpose |
|---|---|
backend/app/middleware/security_logger.py | Core logging middleware |
backend/app/services/security_log_backup.py | S3 backup service |
backend/app/api/v1/monitoring.py | Security API endpoints |
frontend/src/pages/admin/SecurityDashboard.tsx | Admin UI |