Secure Code Review & Hardening — Self-Hosted Clinical Web App (Node/TS, PostgreSQL, React)

Posted 7 hours ago

Worldwide

Summary

We're building a self-hosted clinical LIMS (laboratory information management system) for UK labs. It's a real product going live with paying customers — each install runs on its own Linux box, and patient data stays resident on that box and never leaves it. Getting the security right is non-negotiable before it's trusted with real clinical data. We're looking for an expert secure-code reviewer to go through the codebase and tell us, precisely and honestly, where it can be tightened. What we want reviewed: Injection across the board (SQL and otherwise) — the backend uses parameterised queries and an ORM, but we want the edges checked Authentication and session handling Authorisation / role-based access control Cryptography usage — at-rest and in-transit, key handling, IV/nonce discipline A hand-written expression evaluator behind a clinical calculation engine (small grammar, deliberately not a third-party library — we want it torn into) The signed auto-update channel (GPG-signed artefacts pulled from a separate host) Dependency and supply-chain risk Secrets handling, error handling and logging (we must never leak patient data into logs or outbound errors) TCP listeners that talk to lab analysers over a legacy protocol Stack: Node.js 24, TypeScript 5, Express 5, PostgreSQL 18 (Drizzle ORM), React 19 / Vite; Ubuntu 24.04, Caddy, systemd; Tailscale for remote access. Already in place (stress-test it, don't take it on trust): RBAC + mandatory MFA/TOTP, an append-only audit hash-chain, a GPG-signed update client, AES-256-GCM encryption, pgcrypto. Deliverables: Findings ranked by severity — each with description, impact, and concrete remediation, not raw scanner output A short call to walk us through the high/critical items A retest pass after we apply fixes, to confirm they hold How it works: Read-only access to the private GitHub repo, provided after a signed NDA The codebase contains no real patient data — test fixtures and de-identified data only Fully remote, hourly, part-time — no fixed weekly commitment You are: an experienced application-security specialist who reads source for a living, comfortable across Node/TypeScript and PostgreSQL, ideally with exposure to healthcare or other regulated/data-sensitive systems. Certifications (OSCP or similar) welcome, but demonstrated code-review work matters more. In your proposal: a brief note on comparable secure-code reviews you've done, and a redacted sample report if you have one.

  • Less than 30 hrs/week
    Hourly
  • 1-3 months
    Duration
  • Expert
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
Web Application
TypeScript
Activity on this job
  • Proposals:20 to 50
  • Interviewing:
    0
  • Invites sent:
    0
  • Unanswered invites:
    0
About the client
Member since Jul 1, 2026
  • United Kingdom
    12:45 AM

Explore similar jobs on Upwork

Software DeveloperHourly‐ Posted 7 months ago
ASP.NET MVC
Django
Python
AngularJS
JavaScript
jQuery
WordPress
Google Chrome Extension
React
CRM Development
Microsoft Dynamics 365
Microsoft Dynamics CRM
Microsoft Dynamics Development
Microsoft PowerApps
Single Sign-On
Three.js
JavaScript
WordPress
AR Plugin
WooCommerce
3D Modeling

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo