🎉 BastionAuth is in public beta. Read the announcement →
Security

Security

BastionAuth is built with security as a core principle. Here's how we protect your users and data.

Authentication Security

Password Hashing

All passwords are hashed using Argon2id, the winner of the Password Hashing Competition. We use:

  • Memory cost: 64 MB
  • Time cost: 3 iterations
  • Parallelism: 4 threads

Breached Password Detection

BastionAuth checks passwords against the HaveIBeenPwned (opens in a new tab) database using k-anonymity, ensuring your users don't use compromised passwords without exposing their actual passwords.

JWT Security

  • RS256 asymmetric signatures (4096-bit RSA keys)
  • Short-lived access tokens (15 minutes default)
  • Secure refresh token rotation
  • Token binding to prevent token theft

Data Protection

Encryption at Rest

Sensitive data is encrypted using AES-256-GCM before storage:

  • OAuth tokens
  • API keys
  • Backup codes
  • Session metadata

Database Security

  • All connections use TLS
  • Connection pooling with PgBouncer support
  • Row-level security where applicable
  • Automatic query parameterization (no SQL injection)

Session Security

Session Management

  • Secure, HttpOnly cookies
  • SameSite=Lax by default (configurable)
  • Session fingerprinting (user agent, IP)
  • Automatic session invalidation on suspicious activity

Multi-Factor Authentication

  • TOTP (Time-based One-Time Password)
  • Backup codes (10 single-use codes)
  • Replay attack protection
  • Rate-limited verification attempts

API Security

Rate Limiting

Configurable rate limits protect against:

  • Brute force attacks
  • Credential stuffing
  • API abuse

Default limits:

EndpointRate Limit
Sign in5/minute
Sign up10/minute
Password reset3/minute
API calls100/minute

CSRF Protection

  • Double-submit cookie pattern
  • Origin verification
  • Custom header requirements

CORS Configuration

Strict CORS policies with configurable origins.

Infrastructure Security

Self-Hosted Benefits

When you self-host BastionAuth:

  • Complete data sovereignty - data never leaves your infrastructure
  • Network isolation - deploy within your VPC
  • Compliance ready - HIPAA, SOC2, FedRAMP compatible
  • No third-party access - you control all access

Container Security

  • Non-root user execution
  • Read-only filesystem where possible
  • Minimal base images
  • Regular security updates

Security Best Practices

For Production Deployments

  1. Use HTTPS everywhere - Never deploy without TLS
  2. Rotate keys regularly - JWT keys, encryption keys
  3. Enable MFA - Require for admin accounts
  4. Monitor logs - Set up alerting for suspicious activity
  5. Keep updated - Apply security patches promptly

Environment Variables

Never commit secrets to version control:

# Generate secure encryption key
openssl rand -hex 32
 
# Generate JWT keys
openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -pubout -out public.pem

Vulnerability Reporting

Found a security vulnerability? Please report it responsibly:

  • Email: security@bastionauth.dev
  • Do not open public issues for security vulnerabilities
  • We aim to respond within 48 hours
  • We do not currently offer a bug bounty program

Security Audits

BastionAuth undergoes regular security reviews:

  • Third-party penetration testing (planned)
  • Automated dependency scanning (Dependabot)
  • Static code analysis
  • Container vulnerability scanning

Compliance

BastionAuth is designed to help you meet compliance requirements:

StandardStatus
GDPR✅ Compliant
HIPAA✅ Self-host ready
SOC 2🔄 In progress
FedRAMP✅ Self-host ready

Note: Compliance depends on your deployment configuration and operational practices.

Design PartnersChangelog