Security
Orithos applies defense-in-depth: encryption at rest and in transit, bcrypt hashing, Fernet encryption, RBAC, audit logging, and rate limiting.
Encryption & hashing
bcrypt hashing
API keys and admin passwords are hashed with bcrypt (cost factor 12). The raw secret is shown once at creation and never stored.
Fernet encryption
Agent credentials (API keys, tokens) are encrypted at rest using Fernet symmetric encryption derived from the server secret key.
Access control
Role-based access control (RBAC) with four roles: VIEWER (read-only), ANALYST (create scans, view results), ADMIN (manage agents, keys, users), OWNER (billing, org settings, delete). Forbidden resource access returns 404 (not 403) to avoid information leakage.
Audit logging
Every user action is logged with actor identity, timestamp, action type, target resource, and outcome. Logs are immutable and queryable via the API. Retention follows the organization's data retention policy.
Network security
All traffic is encrypted in transit via TLS 1.3. Data at rest is encrypted using AES-256 on the storage layer. Sensitive endpoints implement rate limiting with configurable thresholds per route. The internal API key authenticates proxy-to-backend requests without exposing user credentials.
TLS 1.3
All API and dashboard traffic encrypted in transit via TLS 1.3 with strong cipher suites.
AES-256 at rest
Database storage encrypted using AES-256. Backups are also encrypted.
Rate limiting
Sensitive endpoints (auth, key creation) have per-IP and per-key rate limits with configurable thresholds and 429 responses.