← Jobb

Secure Code Review & Hardening — Self-Hosted Clinical Web App (Node/TS, PostgreSQL, React)

Budget: - HOURLY / PART_TIME ⭐ 0.00 (0) United Kingdom

web-application, typescript, express-js, application-security, node.js, postgresql, vulnerability-assessment

We're building a self-hosted clinical LIMS (laboratory information management system) for UK labs. It's a real product going live with paying customers — each install runs on its own Linux box, and patient data stays resident on that box and never leaves it. Getting the security right is non-negotiable before it's trusted with real clinical data. We're looking for an expert secure-code reviewer to go through the codebase and tell us, precisely and honestly, where it can be tightened. What we want reviewed: Injection across the board (SQL and otherwise) — the backend uses parameterised queries and an ORM, but we want the edges checked Authentication and session handling Authorisation / role-based access control Cryptography usage — at-rest and in-transit, key handling, IV/nonce discipline A hand-written expression evaluator behind a clinical calculation engine (small grammar, deliberately not a third-party library — we want it torn into) The signed auto-update channel (GPG-signed artefacts pulled from a separate host) Dependency and supply-chain risk Secrets handling, error handling and logging (we must never leak patient data into logs or outbound errors) TCP listeners that talk to lab analysers over a legacy protocol Stack: Node.js 24, TypeScript 5, Express 5, PostgreSQL 18 (Drizzle ORM), React 19 / Vite; Ubuntu 24.04, Caddy, systemd; Tailscale for remote access. Already in place (stress-test it, don't take it on trust): RBAC + mandatory MFA/TOTP, an append-only audit hash-chain, a GPG-signed update client, AES-256-GCM encryption, pgcrypto. Deliverables: Findings ranked by severity — each with description, impact, and concrete remediation, not raw scanner output A short call to walk us through the high/critical items A retest pass after we apply fixes, to confirm they hold How it works: Read-only access to the private GitHub repo, provided after a signed NDA The codebase contains no real patient data — test fixtures and de-identified data only Fully remote, hourly, part-time — no fixed weekly commitment You are: an experienced application-security specialist who reads source for a living, comfortable across Node/TypeScript and PostgreSQL, ideally with exposure to healthcare or other regulated/data-sensitive systems. Certifications (OSCP or similar) welcome, but demonstrated code-review work matters more. In your proposal: a brief note on comparable secure-code reviews you've done, and a redacted sample report if you have one.
Öppna på Upwork