Odle Legal
Security Overview
How the client portal protects account and matter informationAccount protection
The portal stores passwords using one-way password hashing and requires a minimum password length of 12 characters. Session cookies are HTTP-only, same-site, and marked secure when the portal is deployed over HTTPS or in production mode.
Access controls
Client accounts are limited to their own matters. Attorney and staff features require attorney or staff permissions. Documents, invoices, receipts, payment proofs, messages, and matter records are checked before being shown or downloaded.
Protected files
Database files, storage folders, scripts, backups, and configuration-style files are not served directly as public website files. Documents are accessed through permission-checked download and preview routes instead of direct storage URLs.
Monitoring and audit records
The portal records important events such as logins, failed logins, password reset requests, document access, uploads, client intake, consent acceptance, account changes, and attorney/admin actions. These records help investigate account issues and support responsible matter administration.
Request protection
The portal uses rate limiting for login, registration, consultation, and password reset endpoints. It also rejects write requests with unexpected cross-site origins, applies security headers, blocks framing, limits browser permissions, and marks API responses as no-store.
Production requirements
The portal should be published only over HTTPS, with secrets stored in the hosting provider's secure environment settings, Titan SMTP or another approved email service configured, regular encrypted backups, private document storage, and monitoring for failed logins and unusual document activity.
Client safety
Clients should use a unique password, keep devices updated, avoid shared computers for portal access, sign out after use, and report unexpected password reset notices, unknown document activity, suspicious messages, or lost device access immediately.
Limitations
No internet-connected system can eliminate all risk. Security depends on the portal, hosting provider, office procedures, client devices, passwords, email accounts, and network conditions working together responsibly.