Security Overview

Fluxbase is built with security as a top priority. This page provides an overview of the security features and best practices implemented throughout the platform.

Security Architecture

Fluxbase implements multiple layers of security to protect your data and applications:

graph TD
    APP["**Application Layer**<br/>Authentication (JWT, OAuth, 2FA)<br/>Authorization (RLS, RBAC)<br/>Input Validation"]
    NET["**Network Layer**<br/>HTTPS/TLS Encryption<br/>CSRF Protection<br/>Security Headers<br/>Rate Limiting"]
    DB["**Database Layer**<br/>Row Level Security (RLS)<br/>Encrypted Connections<br/>Parameterized Queries<br/>Audit Logging"]

    APP --> NET --> DB

---

Core Security Features

1. Authentication & Authorization

JWT-Based Authentication

• Secure token-based authentication
• Short-lived access tokens (15 minutes default)
• Long-lived refresh tokens with rotation
• Token blacklisting on logout

Multi-Factor Authentication (2FA)

• TOTP (Time-based One-Time Password) support
• QR code generation for authenticator apps
• Backup codes for account recovery
• Configurable 2FA enforcement

OAuth 2.0 Integration

• Support for major providers (Google, GitHub, Facebook, etc.)
• Secure token exchange
• State parameter for CSRF protection
• Automatic account linking

Row Level Security (RLS)

• Database-level access control
• Automatic row filtering based on user context
• Policy-based permissions
• Multi-tenant data isolation

Learn more about RLS →

Multi-Tenant Security

Fluxbase uses database-per-tenant isolation with postgres_fdw and RLS. Each tenant’s FDW role has NOBYPASSRLS and app.current_tenant_id set, ensuring data isolation even through foreign tables. Per-tenant JWT secrets provide cryptographic isolation.

Learn more about Multi-Tenancy →

---

2. Network Security

TLS/HTTPS

• TLS 1.2+ required in production
• Automatic HTTPS redirect
• HSTS (HTTP Strict Transport Security) headers
• Secure cookie attributes

CSRF Protection

• Token-based CSRF protection
• Double-submit cookie pattern
• Automatic token generation
• SameSite cookie attributes

Learn more about CSRF Protection →

Security Headers

• Content Security Policy (CSP)
• X-Frame-Options (Clickjacking protection)
• X-Content-Type-Options (MIME sniffing protection)
• X-XSS-Protection
• Referrer-Policy
• Permissions-Policy

Learn more about Security Headers →

Rate Limiting

• IP-based rate limiting
• User-based rate limiting
• API key-based rate limiting
• Configurable limits per endpoint

Learn more about Rate Limiting →

---

3. Data Security

Encryption at Rest

• Database encryption (PostgreSQL native encryption)
• File storage encryption
• Secrets management with environment variables
• Password hashing with bcrypt (cost factor 10)

Encryption in Transit

• TLS for all API communications
• Secure WebSocket connections (WSS)
• Encrypted database connections
• HTTPS-only cookies

Data Isolation

• Row Level Security for multi-tenancy
• Schema-based isolation options
• Organization/team-based access control
• User-level data separation

---

4. Input Validation & Sanitization

SQL Injection Prevention

• Parameterized queries throughout
• No string concatenation in SQL
• Input validation at API level
• PostgreSQL prepared statements

XSS Prevention

• Content Security Policy headers
• Output encoding
• Safe HTML rendering
• React/Vue automatic escaping

Command Injection Prevention

• No shell command execution with user input
• Validation of file paths
• Allowlist-based validation
• Secure file upload handling

---

Security Best Practices

For Developers

1. Use Environment Variables for Secrets

# ✅ GOOD: Use environment variables
database:
  host: ${DB_HOST}
  password: ${DB_PASSWORD}

auth:
  jwt_secret: ${JWT_SECRET}

# ❌ BAD: Don't hardcode secrets
database:
  host: "db.example.com"
  password: "my-password-123"

auth:
  jwt_secret: "my-secret-key-123"

2. Enable HTTPS in Production

TLS is not built into Fluxbase. Use a reverse proxy (nginx, Caddy, Traefik) for HTTPS.

3. Configure Strong Password Policies

auth:
  password_min_length: 12

4. Enable Row Level Security

-- Always enable RLS on tables with user data
ALTER TABLE public.my_table ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.my_table FORCE ROW LEVEL SECURITY;

CREATE POLICY user_isolation ON public.my_table
  FOR ALL
  USING (user_id = auth.uid());

5. Implement Rate Limiting

security:
  enable_global_rate_limit: true

6. Use client keys Securely

// ✅ GOOD: Store client keys in environment variables
const apiKey = process.env.FLUXBASE_CLIENT_KEY;

// ❌ BAD: Don't commit client keys to source control
const apiKey = "fb_live_abc123def456";

7. Validate All User Input

// ✅ GOOD: Validate and sanitize
const email = validator.normalizeEmail(req.body.email);
const age = parseInt(req.body.age, 10);

if (!validator.isEmail(email)) {
  throw new Error("Invalid email");
}

if (isNaN(age) || age < 0 || age > 150) {
  throw new Error("Invalid age");
}

8. Implement Proper Error Handling

// ✅ GOOD: Generic error messages
try {
  await client.auth.signIn({ email, password });
} catch (error) {
  // Don't reveal whether user exists
  throw new Error("Invalid email or password");
}

// ❌ BAD: Reveals too much information
try {
  await client.auth.signIn({ email, password });
} catch (error) {
  if (error.message === "User not found") {
    throw new Error("No account with that email");
  }
  throw new Error("Incorrect password");
}

---

For System Administrators

1. Regular Security Updates

# Update Fluxbase regularly
docker pull fluxbase/fluxbase:latest

# Update PostgreSQL
apt-get update && apt-get upgrade postgresql

2. Configure Firewall Rules

# Allow HTTPS traffic
ufw allow 443/tcp

# Allow PostgreSQL from specific IPs only
ufw allow from 10.0.0.0/8 to any port 5432

# Enable firewall
ufw enable

3. Implement Backup Strategy

# Daily PostgreSQL backups
0 2 * * * pg_dump -U postgres fluxbase > /backups/fluxbase-$(date +\%Y\%m\%d).sql

# Weekly full backups
0 3 * * 0 tar -czf /backups/fluxbase-full-$(date +\%Y\%m\%d).tar.gz /var/lib/fluxbase

4. Use Secrets Management

# Use Docker secrets
echo "my-jwt-secret" | docker secret create jwt_secret -

# Use Kubernetes secrets
kubectl create secret generic fluxbase-secrets \
  --from-literal=jwt-secret=my-jwt-secret \
  --from-literal=database-url=postgres://...

5. Restrict Database Access

-- Create read-only user for reporting
CREATE USER readonly_user WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE fluxbase TO readonly_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;

-- Revoke dangerous permissions
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA pg_catalog FROM PUBLIC;

---

Security Checklist

Pre-Deployment

• Environment variables configured for all secrets
• HTTPS/TLS certificates obtained and configured
• Strong JWT secret generated (min 32 characters)
• Database user has minimal required permissions
• RLS policies reviewed and tested
• Tenant isolation verified (if using multi-tenancy)
• Per-tenant JWT secrets configured (if using multi-tenancy)
• Rate limiting configured
• CORS settings reviewed
• Security headers configured
• Input validation implemented
• Error handling doesn’t leak sensitive information

Post-Deployment

• Security headers verified (use securityheaders.com)
• SSL/TLS configuration tested (use ssllabs.com)
• Penetration testing completed
• Dependency vulnerabilities scanned (npm audit, snyk)
• Access logs monitored
• Backup strategy implemented
• Incident response plan documented
• Security updates subscribed to

---

Compliance

GDPR (General Data Protection Regulation)

Fluxbase provides features to help with GDPR compliance:

• Right to Access: Users can download their data via API
• Right to Erasure: Delete user data with cascading deletes
• Data Portability: Export user data in JSON format
• Consent Management: Track user consents in metadata
• Audit Logging: Log all data access and modifications

HIPAA (Health Insurance Portability and Accountability Act)

For HIPAA compliance, additional configuration is required:

• Enable audit logging for all PHI access
• Implement BAA (Business Associate Agreement)
• Use encryption at rest and in transit
• Implement access controls and RLS
• Regular security assessments
• Incident response procedures

SOC 2

Fluxbase supports SOC 2 compliance with:

• Access controls (RBAC, RLS)
• Audit logging
• Encryption standards
• Change management
• Incident response
• Regular security monitoring

---

Reporting Security Issues

If you discover a security vulnerability in Fluxbase, please report it responsibly:

Security Contact

• Email: security@fluxbase.io
• GitHub: Create a private security advisory

What to Include

1. Description of the vulnerability
2. Steps to reproduce
3. Affected versions
4. Potential impact
5. Suggested fix (if any)

Response Timeline

• 24 hours: Initial acknowledgment
• 48 hours: Preliminary assessment
• 7 days: Detailed response and timeline
• 30 days: Fix release (for critical issues)

---

Security Resources

Internal Documentation

• Authentication Guide
• Multi-Tenancy Guide
• Row Level Security Guide
• Rate Limiting Guide
• CSRF Protection
• Security Headers
• Best Practices

External Resources

• OWASP Top 10
• PostgreSQL Security
• JWT Best Practices
• OAuth 2.0 Security

---

Security Updates

Subscribe to security updates:

• GitHub: Watch the Fluxbase repository
• Email: Subscribe to the security mailing list
• RSS: Security advisories feed

---

Summary

Fluxbase implements defense-in-depth security with multiple layers of protection:

• ✅ Authentication: JWT, OAuth, 2FA
• ✅ Authorization: RLS, RBAC, policies
• ✅ Network Security: HTTPS, CSRF, security headers
• ✅ Data Security: Encryption, isolation, access control
• ✅ Input Validation: SQL injection, XSS, command injection prevention
• ✅ Monitoring: Audit logs, rate limiting, alerts

Follow the security best practices and keep your instance updated to maintain a strong security posture.