A multi-domain web security portal that implements Zero Trust Architecture — "Never Trust, Always Verify" — using Attribute-Based Access Control (ABAC), real-time risk scoring, and step-up MFA authentication.
Built as a full-stack Node.js/Express/MongoDB application, the system enforces per-request authentication and authorization across four independent enterprise domains: University, Hospital, Corporate, and Banking.
Screenshots available in the
/screenshotsfolder (or link them here once added).
- Zero Trust enforcement — every resource request is individually authenticated and authorized; no session is implicitly trusted
- ABAC policy engine — evaluates subject attributes (role, department), resource classification (public/internal/confidential/critical), action type, and environmental context on every request
- Real-time risk scoring (0–100) — combines resource sensitivity, role-resource alignment, device trust, time-of-access, and login history to classify each request as ALLOW, STEP-UP, or DENY
- JWT-based stateless authentication — 15-minute access tokens with refresh token rotation
- MFA step-up verification — 6-digit OTP challenge triggered automatically for medium-risk requests
- Brute-force protection — account lockout after 5 failed login attempts, plus global rate limiting
- Domain-locked login — users can only authenticate through the portal matching their email domain
- Full audit logging — every access decision (allow/deny/step-up) is logged with user, resource, risk score, IP, and timestamp; exportable as CSV
- Admin panel — user block/unblock, ABAC policy management, and system-wide log monitoring
- Attack simulation module — educational demo of brute-force, privilege escalation, and token replay attacks
| Layer | Technology |
|---|---|
| Backend | Node.js, Express.js |
| Database | MongoDB, Mongoose (ODM) |
| Auth | JSON Web Tokens (JWT), bcrypt |
| Security | Helmet.js, express-rate-limit, CORS |
| Frontend | HTML5, CSS3, Vanilla JavaScript (SPA) |
- Policy Enforcement Point (PEP) —
authMiddleware.jswraps every protected route - Policy Decision Point (PDP) — policy evaluation logic inside the
authorize()middleware - Risk Scorer — computes a fresh 0–100 score per request based on resource classification (+40 critical / +25 confidential / +10 internal), off-hours access (+15), untrusted device (+20), and failed login history (+25)
- 100% access control accuracy across all tested role-resource scenarios
- ~45ms average response time for ABAC evaluation + risk scoring per request
- Full test suite covering registration, domain-lock validation, resource access (allow/deny), MFA step-up, audit logging, and admin operations
- Node.js 18+
- MongoDB (local or Atlas)
git clone https://github.com/priya25800/zero-trust-final.git
cd zero-trust-final
npm installCreate a .env file in the project root:
MONGO_URI=mongodb://localhost:27017/zerotrust
JWT_ACCESS_SECRET=your_access_secret_here
JWT_REFRESH_SECRET=your_refresh_secret_here
PORT=3000
npm startThen open http://localhost:3000 in your browser.
The portal supports four separate enterprise environments, each with its own role hierarchy:
| Domain | Example Roles |
|---|---|
| University | Student, Faculty, HOD, Examiner, Admin |
| Hospital | Patient, Nurse, Doctor/Surgeon, Lab Technician, Admin |
| Corporate | Employee, Team Manager, HR Manager, Finance Officer, IT Admin |
| Banking | Customer, Bank Teller, Branch Manager, Loan Officer, Admin |
- Real SMS/Email OTP delivery (Twilio/SendGrid)
- FIDO2/WebAuthn biometric step-up authentication
- ML-based adaptive risk scoring
- Blockchain-backed tamper-evident audit logs
- SSO integration (SAML/OAuth 2.0)