Security posture
The ALBAKEYS site and portal frame least privilege, secure session handling, observable delivery, and controlled integrations as visible parts of the brand promise.
TLS
Transport baseline
Encrypted transport and strong headers protect the public surface.
RBAC
Portal baseline
Role claims shape what partner users see in the protected shell.
Auditability
Operational baseline
Structured logging and deterministic local runtime control reduce ambiguity.
What is built into this release
The first delivery slice focuses on the controls that should never be retrofitted.
CSP, HSTS, referrer policy, and permission controls ship with the app.
The portal avoids client token storage and derives access from OIDC sessions.
Control domains
The public security posture should explain what is governed, not just claim that security matters.
Portal and admin experiences are presented as distinct access surfaces with claims normalization, stronger admin roles, and explicit review boundaries.
The site language frames secure headers, encrypted transport, server-managed sessions, and controlled integrations as baseline posture.
Publication events, access reviews, and runtime visibility are treated as enterprise controls instead of backstage implementation details.
Security questions
A serious buyer expects concrete answers on controls and governance.
Identity, session handling, auditability, controlled integration boundaries, and observability are the first visible control domains across the public and protected surfaces.
As a controlled access layer backed by configured identity, normalized roles, and a separate admin review posture rather than as a generic login box.
Because regulated buyers usually evaluate security together with release discipline, logging, traceability, and governance rather than as isolated technical features.