Cloudcore

Security

Cloudcore is built with enterprise-grade security from the ground up. Here's what protects your data.

Cryptography

  • Password hashing: PBKDF2-SHA512, 210,000 iterations (OWASP 2023 minimum)
  • Session tokens: SHA-256 hashed before DB storage. Client holds the raw token, DB never sees it.
  • Timing-safe comparisons: All authentication checks use constant-time comparison to prevent timing attacks
  • Timing-safe delays: Failed auth attempts have normalized response times to prevent user enumeration

HTTP Security Headers

HeaderValue
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preload
Content-Security-PolicyStrict — default-src 'self', no eval
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Permissions-PolicyCamera, mic, geolocation disabled

CSRF Protection

Three layers of defense:

  1. Custom header: All state-changing requests require X-CloudCore-Request: 1. Browsers cannot send custom headers cross-origin without CORS preflight.
  2. Origin validation: Origin/Referer headers checked against ALLOWED_ORIGINS whitelist.
  3. SameSite cookies: Session cookies use SameSite=Strict.

Rate Limiting

  • Every endpoint has rate limiting (IP-based)
  • Login: exponential backoff (5 fails = 30s lockout, escalating to 1hr)
  • Passkey operations: per-user rate limits
  • Magic links: per-email rate limits
  • Public endpoints: 30–60 req/min per IP

Input Validation

  • All inputs validated with Zod schemas
  • Size limits on all fields (blocks, arrays, strings)
  • 10MB global request body limit
  • SQL identifiers validated with strict regex patterns

File Upload Security

  • MIME type whitelist (images, video, audio, PDF only)
  • Magic byte validation (file content must match declared type)
  • SVG sanitization (removes script, style, event handlers, javascript: URLs)
  • Filenames sanitized (prevents path traversal)
  • File extensions derived from MIME type, not user input
  • Strict CSP on served media files

Audit Logging

Every security-critical action is logged with user ID, IP address, and user-agent. Sensitive fields (passwords, tokens) are automatically redacted. Admins can view the audit log from the dashboard.

Dependencies

Zero npm audit vulnerabilities. All dependencies are kept up to date. The CMS uses only 4 production dependencies: Hono, Drizzle ORM, Zod, and @hono/zod-validator.