Skip to content

Core HR Platform Hardening Checklist

Purpose: Pre-release gating to ensure security, resilience, performance, privacy, and operational readiness are at MVP standard. Mark each item with [ ] -> [x] and link evidence (PR, doc, test ID, dashboard URL).

0. Meta

  • Owner assigned for hardening (name/contact)
  • Target release version & date confirmed
  • All open questions enumerated in docs/INDEX.md resolved or deferred with rationale

1. Identity & Access Control

  • Password policy (min length, complexity, rotation) implemented & documented
  • Rate limiting / lockout for auth endpoints (config & test evidence)
  • MFA flows tested (success, failure, recovery)
  • Session invalidation works on password change & explicit logout
  • Admin privilege escalation paths reviewed; least privilege role matrix stored
  • No hard-coded secrets; secret rotation procedure documented

2. Tenant Isolation & Data Segregation

  • Repository layer enforces tenant predicate on all multi-tenant reads/writes (refer tenant-isolation-test-strategy.md)
  • Cache keys namespaced by tenant ID; negative tests show cross-tenant denial
  • Background jobs scoped to tenant; audit of scheduled tasks completed
  • IDOR tests (direct object reference) pass for representative endpoints
  • Data export/import processes scrub PII of other tenants

3. Data Protection & Privacy

  • PII classification list approved (fields + sensitivity tier)
  • Encryption at rest configured (storage layer / cloud config evidence)
  • TLS enforced end-to-end (no plain HTTP internally without justification)
  • Logging excludes raw PII (see logging-tracing-guidelines.md); sampled spans do not leak secrets
  • Retention windows defined for candidate data (Recruitment) & performance reviews (Performance)
  • Anonymization / soft-delete strategy documented & tested

4. Application Security

  • Input validation (server-side) for all external request schemas
  • Output encoding (avoid XSS) verified in UI surfaces (if applicable)
  • CSRF protection enabled for state-changing browser endpoints
  • Dependency vulnerability scan clean (SBOM or tool output attached)
  • No usage of deprecated crypto algorithms (MD5, SHA1) for security context
  • Open redirect checks pass; URL validations enforced

5. Infrastructure & Configuration

  • IaC reviewed (naming, tags, least privilege security groups)
  • Environment parity: Dev/Staging/Prod differences documented
  • Autoscaling rules defined (thresholds & cooldowns) or manual capacity plan
  • Health check endpoints return structured status (include build/version)
  • Backups scheduled & recovery test performed (RTO/RPO documented)

6. Observability & Monitoring

  • Structured logging fields present: timestamp, level, trace/span IDs, tenant_id, request_id
  • Trace coverage > 70% for critical flows (activation, employee profile create)
  • Metrics dashboard created (activation funnel, error rates, latency p95/p99)
  • Alert thresholds defined & tested (see activation-runbook.md)
  • Dead letter queues / retry counts monitored
  • Synthetic check configured for public entry point

7. Performance & Scalability

  • Load test executed at projected peak (document concurrency & throughput)
  • p95 latency within target for core endpoints (targets in forthcoming performance budget doc)
  • CPU / memory headroom > 30% under peak simulation
  • Cache hit ratio acceptable (>= 60% for identity / profile lookups) or tuning plan
  • N+1 queries eliminated (profiling evidence)
  • Bulk operations have pagination / batching safeguards

8. Reliability & Resilience

  • Circuit breaker / timeout policies set for external integrations
  • Retry policies exponential with jitter (no thundering herd) implemented
  • Chaos test / failure injection run for one non-critical component
  • Zero single-point-of-failure identified or mitigation documented
  • Disaster recovery drill executed (partial) or scheduled

9. Release & Deployment

  • CI pipeline includes: tests, lint, security scan, build artefact notarization
  • Rollback procedure documented and exercised (blue/green or versioned deploy)
  • Feature flags registered & default states documented
  • Migration scripts idempotent & reviewed (dry run evidence)
  • Release notes draft prepared (scope, risks, mitigation)

10. Quality Assurance

  • Test coverage report (unit/integration) meets agreed baseline
  • Isolation test suite green (see tenant-isolation-test-strategy.md)
  • High-risk BDD scenarios automated (list of test IDs)
  • Manual exploratory test session report attached
  • Regression suite passed on staging with build tag

11. Analytics & Events

  • Event JSON Schemas created & validated in CI for all listed events (events-schema.md)
  • Personally identifiable data masked / hashed per policy
  • Data quality dashboard (ingestion errors, schema violations) established
  • Activation funnel metrics match synthetic scenario (baseline accuracy)

12. Compliance & Policy

  • Security policy & acceptable use doc accessible internally
  • Audit log retention & access controls defined
  • GDPR/CCPA right-to-delete flow documented & tested (if applicable)
  • Licensing of dependencies compatible with distribution model
  • Privacy policy references implemented features correctly

13. Documentation Completeness

  • docs/INDEX.md updated with latest artefacts & statuses
  • All stories in Sprint 1 show final acceptance criteria (no TBD)
  • Runbook contains escalation matrix contacts
  • Architecture diagram (high-level) added or scheduled

14. Final Approval Gates

  • Product Owner sign-off recorded
  • Architecture review completed & notes stored
  • Security review / penetration test results triaged (critical issues fixed)
  • Go/No-Go meeting executed & decision logged

Scoring (Optional): Assign Critical / High / Medium / Low to each item; require all Critical & High be [x] before release.

Maintenance: Re-run checklist each release; archive version with release tag (#hardening-release-vX.Y).