Back to Updates
Weekly Update

Week in Review: Security Hardening, Public API & Compliance Index

December 29, 2024 CityCycle Team

This week was all about hardening the platform. We completed a comprehensive security audit, launched our public API, and shipped the SB 1383 Compliance Index—a free tool for California jurisdictions to check their enforcement status.

Security Hardening (SOC 2 Prep)

We conducted a thorough security audit and implemented dozens of fixes:

  • Rate Limiting - Rack::Attack now protects all public endpoints from abuse
  • Content Security Policy - CSP headers enforced with clickjacking protection
  • Encrypted Credentials - API keys and sensitive credentials now use Active Record Encryption at rest
  • Session Security - Admin sessions hardened with secure cookie settings
  • Password Requirements - Minimum 12 characters for SOC 2 compliance
  • Signature Verification - SMS webhook requests are now cryptographically verified
  • Security.txt - Published vulnerability disclosure policy per RFC 9116
  • External Scanning - Added quarterly vulnerability scanning via pentest-tools.com

We also added 800+ lines of test coverage for security-critical code paths, including authorization checks, idempotency handling, and webhook verification.

Public REST API & Webhooks

The new Public API gives haulers and integrators programmatic access to CityCycle:

  • Full CRUD Operations - Create, read, update sites, outreach logs, violations, and more
  • API Key Authentication - Scoped permissions (read-only, read-write, export-only)
  • Webhooks - Get notified when records change via configurable webhooks
  • Streaming Exports - Large CSV exports now stream to avoid memory issues

API keys are managed in Settings, with usage tracking and revocation controls.

SB 1383 Compliance Index

We launched a free public tool at citycycle.app/compliance:

  • 630+ Jurisdictions - Every California city, county, and special district
  • Risk Scoring - Interpretive scores based on CalRecycle enforcement signals
  • Oversight Briefs - Individual pages for each jurisdiction showing enforcement history
  • Weekly Updates - Automated scraping keeps data current

This is designed to help jurisdictions understand where they stand before CalRecycle comes knocking.

Automated Outreach

Two critical background jobs are now fully operational:

  • SMS Delivery - Workflow-triggered text messages to site contacts
  • Physical Letters - Automated letter printing and USPS mailing

These power the automation workflows we shipped last week, enabling true multi-channel enforcement escalation.

Bug Fixes & Polish

  • Fixed hauler invitation emails being sent multiple times
  • GIS point-in-polygon now works correctly for service zone lookups
  • CSV exports stream properly for large datasets (no more timeouts)
  • Module-level authorization checks added to all Citycycle controllers

Questions or feedback? Contact us or schedule a demo call.

View all updates