Back to portal

Odle Legal

Security Overview

How the client portal protects account and matter information

Account protection

The portal stores passwords using one-way password hashing and requires a minimum password length of 12 characters. Session cookies are HTTP-only, same-site, and marked secure when the portal is deployed over HTTPS or in production mode.

Access controls

Client accounts are limited to their own matters. Attorney and staff features require attorney or staff permissions. Documents, invoices, receipts, payment proofs, messages, and matter records are checked before being shown or downloaded.

Protected files

Database files, storage folders, scripts, backups, and configuration-style files are not served directly as public website files. Documents are accessed through permission-checked download and preview routes instead of direct storage URLs.

Monitoring and audit records

The portal records important events such as logins, failed logins, password reset requests, document access, uploads, client intake, consent acceptance, account changes, and attorney/admin actions. These records help investigate account issues and support responsible matter administration.

Request protection

The portal uses rate limiting for login, registration, consultation, and password reset endpoints. It also rejects write requests with unexpected cross-site origins, applies security headers, blocks framing, limits browser permissions, and marks API responses as no-store.

Production requirements

The portal should be published only over HTTPS, with secrets stored in the hosting provider's secure environment settings, Titan SMTP or another approved email service configured, regular encrypted backups, private document storage, and monitoring for failed logins and unusual document activity.

Client safety

Clients should use a unique password, keep devices updated, avoid shared computers for portal access, sign out after use, and report unexpected password reset notices, unknown document activity, suspicious messages, or lost device access immediately.

Limitations

No internet-connected system can eliminate all risk. Security depends on the portal, hosting provider, office procedures, client devices, passwords, email accounts, and network conditions working together responsibly.