When building HealthTech products like MigrainePulse, one of the biggest challenges is ensuring absolute security and privacy of sensitive user data. Migraine attack history, medications taken, health records, and lifestyle details – all of this is highly personal information.
From day one, our philosophy was simple: user data belongs only to them. To ensure this, we implemented an advanced symmetric key encryption system ( angl. Symmetric Key Encryption) in the MigrainePulse architecture, which works together with isolated microservice solutions (Cloudflare Workers).
In this article, we invite you to take a technical look under the hood and learn how our protection mechanisms work.
Why Standard Solutions Are Not Enough?
Most applications today use encryption during data transmission (TLS/SSL) and encryption at rest (encrypted databases). However, if the entire system (database and main server holding encryption keys) is compromised at the same time, the data can become exposed.
To avoid this, we separated the actual data from the keys needed to decrypt it in the MigrainePulse system.
Architecture Foundation: SymmetricKeyService
In our backend system (using a NestJS monolith), a special SymmetricKeyService module manages encryption and decryption of sensitive data.
How does it work in practice?
Single Key Principle: Symmetric encryption means the same unique key is used to both encrypt and decrypt data. Each user has a unique key assigned to them, which even we do not have in our main database.
Payload Encryption: When a user saves a new health record (e.g., adds a new migraine attack), the data reaches our server.
SymmetricKeyServicetakes this sensitive payload, encrypts it using an advanced algorithm (e.g.,AES-256-GCM), and only then saves it to the database. Only a meaningless string of characters is stored in the database.User Identification: User session and data access are tightly tied to JWT (
JSON Web Tokens) and Supabase authentication. The user verifies their identity, and the encryption key belonging to them is only provided upon verified login.
Additional Defense Layer: Cloudflare Worker
A natural question arises – where are the encryption keys stored if not in the main database?
Here we called upon Cloudflare Workers technology.
In our architecture, encryption keys are managed through a completely isolated, Edge network infrastructure. The solution described in doc/backend/cloudflare-worker.md ensures that the main API server and database never store the keys themselves in long-term memory.
Integration Benefits:
Decentralization: Since keys are stored and managed in a separate cloud infrastructure (Cloudflare), a potential hacker would not suffice to compromise our main server. They would need to simultaneously overcome two completely different, mutually isolated systems.
Speed (Low Latency): Cloudflare Workers operate on a global Edge network (closest to the user), so requesting a key from them (for authorized decryption) adds only minimal delay while maintaining application performance.
Strict Access Control: The Worker is configured so that it only hands over keys upon receiving correctly signed and verified requests from our SymmetricKeyService, checking all CORS and IP restrictions.
Summary
MigrainePulse is not just a tool for tracking data. It is a secure space. By combining robust NestJS architecture (symmetric-key.service.ts) with the decentralization provided by Cloudflare Workers, we created a system where the user’s personal information remains locked even in the worst-case scenarios.
For us, “Security First” is not just a marketing slogan – it is the engineering foundation on which the entire MigrainePulse system is built. Because when we talk about health, there is no room for privacy compromises.
Do you have questions about our technical architecture? Join the discussion in the comments or try MigrainePulse yourself!