Secure Code Review & Hardening — Self-Hosted Clinical Web App (Node/TS, PostgreSQL, React)
Budget: -
HOURLY / PART_TIME
⭐ 0.00 (0)
United Kingdom
web-application, typescript, express-js, application-security, node.js, postgresql, vulnerability-assessment
We're building a self-hosted clinical LIMS (laboratory information management system) for UK labs. It's a real product going live with paying customers — each install runs on its own Linux box, and patient data stays resident on that box and never leaves it. Getting the security right is non-negotiable before it's trusted with real clinical data.
We're looking for an expert secure-code reviewer to go through the codebase and tell us, precisely and honestly, where it can be tightened.
What we want reviewed:
Injection across the board (SQL and otherwise) — the backend uses parameterised queries and an ORM, but we want the edges checked
Authentication and session handling
Authorisation / role-based access control
Cryptography usage — at-rest and in-transit, key handling, IV/nonce discipline
A hand-written expression evaluator behind a clinical calculation engine (small grammar, deliberately not a third-party library — we want it torn into)
The signed auto-update channel (GPG-signed artefacts pulled from a separate host)
Dependency and supply-chain risk
Secrets handling, error handling and logging (we must never leak patient data into logs or outbound errors)
TCP listeners that talk to lab analysers over a legacy protocol
Stack: Node.js 24, TypeScript 5, Express 5, PostgreSQL 18 (Drizzle ORM), React 19 / Vite; Ubuntu 24.04, Caddy, systemd; Tailscale for remote access.
Already in place (stress-test it, don't take it on trust): RBAC + mandatory MFA/TOTP, an append-only audit hash-chain, a GPG-signed update client, AES-256-GCM encryption, pgcrypto.
Deliverables:
Findings ranked by severity — each with description, impact, and concrete remediation, not raw scanner output
A short call to walk us through the high/critical items
A retest pass after we apply fixes, to confirm they hold
How it works:
Read-only access to the private GitHub repo, provided after a signed NDA
The codebase contains no real patient data — test fixtures and de-identified data only
Fully remote, hourly, part-time — no fixed weekly commitment
You are: an experienced application-security specialist who reads source for a living, comfortable across Node/TypeScript and PostgreSQL, ideally with exposure to healthcare or other regulated/data-sensitive systems. Certifications (OSCP or similar) welcome, but demonstrated code-review work matters more.
In your proposal: a brief note on comparable secure-code reviews you've done, and a redacted sample report if you have one.
Openen op Upwork