This document outlines the backend architecture for VaultScan, a security intelligence platform.
For the hackathon, we implemented a simplified local architecture for speed:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ React Frontend │────▶│ Node.js + WS │────▶│ External APIs │
│ (Vite) │◀────│ (Fastify) │◀────│ (GSB, Abuse) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ Gemini AI API │
│ (Chat Support) │
└─────────────────┘
What we built:
- Fastify server with Socket.io for real-time progress
- 13 security checks (SSL, headers, vulnerabilities, etc.)
- Direct API calls to Google Safe Browsing, AbuseIPDB
- Gemini AI chatbot for security Q&A
Limitations:
- No true sandbox isolation
- Scans run on the same server (not containerized)
- Not horizontally scalable
For production, the recommended architecture uses AWS infrastructure for true isolation and scalability:
graph TD
subgraph "User"
FE[React Frontend]
end
subgraph "AWS - Orchestration"
API[API Gateway + Lambda]
SQS[SQS Queue]
WS[WebSocket API]
end
subgraph "AWS - Sandbox Workers"
FARGATE[Fargate Task]
PLAYWRIGHT[Playwright Container]
end
subgraph "External APIs"
GSB[Google Safe Browsing]
ABUSE[AbuseIPDB]
LLM[Gemini AI]
end
FE -->|WebSocket| WS
FE -->|HTTPS| API
API -->|Enqueue| SQS
SQS -->|Trigger| FARGATE
FARGATE --> PLAYWRIGHT
PLAYWRIGHT --> GSB
PLAYWRIGHT --> ABUSE
FARGATE -->|Results| WS
WS -->|Real-time| FE
| Aspect | Option B (Current) | Option A (Ideal) |
|---|---|---|
| Isolation | None | Full container isolation |
| Scalability | Single server | Auto-scaling Fargate tasks |
| Security | Runs in same process | Ephemeral containers per scan |
| Cost | Fixed server cost | Pay per scan |
| Reliability | Single point of failure | Distributed, fault-tolerant |
- API Gateway + Lambda - Handles authentication, rate limiting
- SQS Queue - Buffers scan requests, handles backpressure
- Fargate Tasks - Ephemeral containers with Playwright for URL detonation
- WebSocket API - Real-time progress updates to frontend
- Secrets Manager - Secure API key storage
To migrate from hackathon to production:
-
Containerize the scanner
FROM mcr.microsoft.com/playwright:v1.40.0 COPY ./scanner /app RUN npm install CMD ["node", "scan.js"]
-
Add SQS integration
- Replace Socket.io events with SQS messages
- Fargate tasks poll the queue
-
Deploy with CDK
cd infra cdk deploy VaultScanStack -
Add authentication
- Cognito for user auth
- API keys for rate limiting
| Layer | Technology |
|---|---|
| Frontend | React + Vite + TypeScript |
| Backend | Node.js + Fastify + Socket.io |
| AI | Google Gemini API |
| Threat Intel | Google Safe Browsing, AbuseIPDB |
| Build | TypeScript, ESM modules |
| Layer | Technology |
|---|---|
| Frontend | React + CloudFront CDN |
| API | AWS API Gateway + Lambda |
| Queue | AWS SQS |
| Workers | AWS Fargate + Playwright |
| AI | Vertex AI / Gemini |
| Storage | DynamoDB (scan history) |
| Secrets | AWS Secrets Manager |
| IaC | AWS CDK (TypeScript) |