Secure Code Review & Hardening — Self-Hosted Clinical Web App (Node/TS, PostgreSQL, React)
Worldwide
We're building a self-hosted clinical LIMS (laboratory information management system) for UK labs. It's a real product going live with paying customers — each install runs on its own Linux box, and patient data stays resident on that box and never leaves it. Getting the security right is non-negotiable before it's trusted with real clinical data. We're looking for an expert secure-code reviewer to go through the codebase and tell us, precisely and honestly, where it can be tightened. What we want reviewed: Injection across the board (SQL and otherwise) — the backend uses parameterised queries and an ORM, but we want the edges checked Authentication and session handling Authorisation / role-based access control Cryptography usage — at-rest and in-transit, key handling, IV/nonce discipline A hand-written expression evaluator behind a clinical calculation engine (small grammar, deliberately not a third-party library — we want it torn into) The signed auto-update channel (GPG-signed artefacts pulled from a separate host) Dependency and supply-chain risk Secrets handling, error handling and logging (we must never leak patient data into logs or outbound errors) TCP listeners that talk to lab analysers over a legacy protocol Stack: Node.js 24, TypeScript 5, Express 5, PostgreSQL 18 (Drizzle ORM), React 19 / Vite; Ubuntu 24.04, Caddy, systemd; Tailscale for remote access. Already in place (stress-test it, don't take it on trust): RBAC + mandatory MFA/TOTP, an append-only audit hash-chain, a GPG-signed update client, AES-256-GCM encryption, pgcrypto. Deliverables: Findings ranked by severity — each with description, impact, and concrete remediation, not raw scanner output A short call to walk us through the high/critical items A retest pass after we apply fixes, to confirm they hold How it works: Read-only access to the private GitHub repo, provided after a signed NDA The codebase contains no real patient data — test fixtures and de-identified data only Fully remote, hourly, part-time — no fixed weekly commitment You are: an experienced application-security specialist who reads source for a living, comfortable across Node/TypeScript and PostgreSQL, ideally with exposure to healthcare or other regulated/data-sensitive systems. Certifications (OSCP or similar) welcome, but demonstrated code-review work matters more. In your proposal: a brief note on comparable secure-code reviews you've done, and a redacted sample report if you have one.
- Less than 30 hrs/weekHourly
- 1-3 monthsDuration
- ExpertExperience Level
- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:20 to 50
- Interviewing:0
- Invites sent:0
- Unanswered invites:0
About the client
- United Kingdom12:45 AM
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by