Security

Security is not a feature.
It's the foundation.

Every layer of Rabtly is designed with security as the starting point, not a checkbox. Here is exactly what we do and why.

WireGuard Transport

ChaCha20-Poly1305 authenticated encryption — 256-bit keys
Curve25519 Elliptic-Curve Diffie-Hellman key exchange
BLAKE2s for hashing, SipHash for hashtable keys
Minimal ~4,000-line codebase — smaller attack surface than any alternative
Formally verified cryptographic primitives (Noise protocol framework)

Zero Trust Model

No implicit trust between nodes — every packet is authenticated
ACL policy engine: each connection is evaluated against explicit rules
Nodes only see peers they are permitted to reach
JWT-authenticated dashboard — short-lived tokens, no session storage on server
Enrollment tokens required for node registration (configurable)

Key Management

WireGuard private keys are generated on the device and never transmitted
Only public keys are sent to the control plane
Dashboard passwords hashed with bcrypt (cost factor 12)
OAuth sign-in (Google, GitHub) — passwords never created or stored for OAuth users
JWT secrets are rotated on each server restart if not pinned via env var

Infrastructure Hardening

All traffic encrypted in transit via TLS 1.2+ (HTTPS and WireGuard)
PostgreSQL queries use parameterized statements throughout — no SQL injection surface
Rate limiting on all public endpoints (registration, heartbeat, login)
Audit log of every sensitive action: login, ACL change, node join/leave, member invite
Stripe webhook signatures verified — replay attacks rejected
Docker images built from minimal Alpine base with no shell in production

Responsible Disclosure

If you discover a security vulnerability in Rabtly, please report it privately before public disclosure. We aim to respond within 48 hours and resolve critical issues within 7 days. We are grateful for responsible researchers.