Security
:::info Source
Sourced from services/media-service/SECURITY_MODEL.md in the documentation repo.
:::
1. Authentication
- JWT internal.
- S2S mTLS for content-service, authoring.
2. Authorization
media:upload— author, reviewer.media:delete— owner, admin.media:ai:generate— author with AI entitlement.media:admin— platform_admin (quarantine review).
3. Multi-Tenant Isolation
- Per-tenant S3 prefix
tenants/{tid}/media/.... - Signed URLs include tenant in path + caller-scoped signature.
- RLS on all tables.
4. Upload Security
- Signed POST policy with size + content-type constraints.
- 15-min TTL.
- SHA-256 verified on finalize.
- AV scan (ClamAV) before ready.
- Content-safety classifier (violence, adult, CSAM) before ready.
5. AV & Content Safety
- ClamAV on every upload.
- ML content classifier (NSFW, violence).
- CSAM hit → quarantine + NCMEC report.
- Quarantined assets cannot be read; admin review only.
6. Streaming Security
- HLS/DASH signed URLs per user per asset.
- Segment encryption optional for premium content.
- DRM (Widevine/FairPlay) for restricted tenants (M5+).
7. Threat Model
| Threat | Mitigation |
|---|---|
| Upload of malware | AV scan + classifier; sandboxed processing |
| Path traversal via filename | Filename sanitized; storage key derived from ID |
| Cross-tenant asset access | Prefix ACL + RLS |
| Signed URL leak | Short TTL; single-use nonce |
| CSAM | NCMEC reporting; legal; quarantine |
| Content piracy via download | Signed URLs; DRM; watermarking (M5+) |
| AI prompt injection in upload metadata | Metadata sanitized before AI processing |
| Deepfake generation abuse | Generated images tagged with provenance + watermark |
8. Audit
- Every AI generation logged with provenance.
- Quarantine events immutable; NCMEC reports tracked.
- Daily Merkle anchor.
9. GDPR
- User uploads deleted on erasure.
- Bundle-referenced assets: anonymize ownership but retain for bundles.
- AI-generated assets with user PII prompts: delete.
10. Compliance
- COPPA for child tenants (enhanced consent).
- HIPAA for healthcare tenants.
- CSAM reporting via NCMEC (US) + equivalents.