Hi all,
I’ve been thinking about the SASSA Status Checker system used by millions of South Africans to check the status of their social grant applications and I’m curious how you would approach designing something similar from scratch using modern web technologies as sassacheck.net.za.
The system seems straightforward on the surface. Users enter some basic personal info like ID number and phone number and get real-time updates on their application status. But when you consider the scale, sensitivity of the data, and need for security and privacy, it becomes a fascinating engineering challenge.
I’m interested in hearing how the community would tackle this. Here are some of the key aspects I’ve been considering and I’d love to get your thoughts:
1. Authentication and Data Privacy
The system collects personally identifiable information, so ensuring data privacy is critical. With only an ID number and phone number as user inputs, how would you prevent unauthorized access or data leaks?
Would you use multi-factor authentication? Generate one-time verification codes sent via SMS? Use token-based authentication with strict expiration? How would you balance ease of access with security especially for users who may not be tech-savvy?
2. Backend Architecture and Data Handling
Assuming the backend has to query a large centralized database with millions of grant applications, would you go for a RESTful API serving status requests with HTTPS for encryption? GraphQL for flexible, efficient querying? Or a serverless architecture like AWS Lambda or Azure Functions to automatically scale during peak usage?
Also, would you implement caching to reduce load on the database and if so, how would you ensure cached data doesn’t expose stale or sensitive info?
3. Rate Limiting and Bot Protection
During payout periods traffic can spike massively. To protect the system from abuse such as scraping and brute-force attempts, what measures would you build in?
Would you use IP-based rate limiting? CAPTCHAs or invisible bot detection? Request throttling and user behavior analytics?
4. Real-time Updates versus Batch Processing
Would you design the system to show real-time updates of application status or would it be more efficient to sync status changes in batches during off-peak hours?
How might you design notifications? Would you use webhooks, push notifications, or SMS alerts?
5. Compliance and Logging
Given the sensitive nature of data, how would you approach data logging and audit trails to comply with privacy laws like South Africa’s POPIA or even GDPR?
I see this as a great case study combining web development, security, and scalable system design with social impact. If anyone has experience working on government portals, social services apps, or secure public-facing APIs, I’d love to hear your insights or example architectures.
How would you build it? What technologies, frameworks, or patterns would you choose? And what pitfalls would you watch out for?
Looking forward to your ideas!
Best,
Takla
