Application Security
Controls at every application boundary — authentication, sessions, validation, authorization, output rendering, webhooks, and traceability.
Defended at every entry point.
Authentication
The customer portal supports email-and-password authentication with JSON Web Tokens stored in secure HTTP-only cookies. This limits direct JavaScript access to session tokens and reduces exposure to common token theft through cross-site scripting.
Enterprise SSO can connect to approved identity providers through SAML or OAuth-based flows.
Session Management
- —Strong, rotated signing secrets
- —Secure, HTTP-only, same-site cookies
- —Appropriate session expiry
- —Reauthentication for high-risk actions
- —Logout and revocation support
- —Device and anomaly monitoring where required
Role-Based Authorization
Rumbe separates customer, agent, tenant-admin, and platform-admin capabilities. Protected routes and server operations verify both the role and the active organization.
Least privilege should be applied to knowledge management, exports, provider keys, billing, user administration, and audit logs.
API Validation
Zod or equivalent schemas can validate API inputs before business logic runs. This reduces malformed data, type confusion, and unexpected payload structures.
Validation should be combined with authorization, parameterized database access, size limits, file validation, rate limiting, and safe error handling.
Safe AI Output Rendering
Rumbe renders Markdown and code blocks through a controlled parser rather than inserting raw model output directly into the page. The rendering layer should sanitize links and HTML to reduce injection risk.
Webhook Security
Stripe and other inbound webhooks should be cryptographically verified before processing. Replay handling, idempotency, event logging, and least-privilege endpoint access are important for billing and provisioning integrity.
Workflow Traceability
Chat transfers, ticket status changes, agent state, exports, and administrative changes can be recorded so investigators can reconstruct high-impact actions.
Security Testing
Application testing should cover authentication bypass, authorization boundaries, tenant manipulation, injection, file upload, session fixation, cross-site scripting, cross-site request forgery, rate abuse, webhook replay, and insecure direct object references.
Frequently asked questions
Where are JWTs stored?+
The product guide describes secure HTTP-only cookies rather than browser-readable local storage.
Does input validation replace authorization?+
No. Validation checks payload structure; authorization determines whether the user may perform the action.
How is model output rendered safely?+
Rumbe uses a controlled Markdown renderer intended to avoid unsafe raw HTML injection.
Are Stripe webhook events verified?+
The documented design verifies Stripe webhook signatures before processing subscription changes.
Evaluate Rumbe AI for your environment.
Vovance Inc. can discuss Rumbe AI’s architecture, available controls, deployment assumptions, and contractual options for your use case.