Security is not optional

All sensitive data is encrypted at rest and in transit. SSH keys, API keys and exported configurations use military-grade encryption.

• ● AES-256-GCM for encrypting SSH keys, API keys and config exports
• ● bcrypt 12 rounds for password hashing
• ● PBKDF2 100,000 iterations for export key derivation
• ● Keys in memory only : never stored in plain text on disk, decrypted only when needed

The authentication system is designed to withstand the most common attacks, with multiple complementary layers of protection.

• ● JWT httpOnly : tokens are stored in httpOnly cookies, inaccessible from JavaScript
• ● Refresh token rotation : the old token is revoked on each renewal
• ● CSRF protection : double-submit cookie with X-CSRF-Token header
• ● Rate limiting : 1,000 req/15min global, 50/15min on auth, 30 conn/min WebSocket
• ● Anti timing-attack : dummy hash comparison for non-existent users

Add an extra layer of protection to your account with two-factor authentication. Even if your password is compromised, your account stays protected.

• ● Standard TOTP : open protocol compatible with all authenticator apps
• ● Compatible with Google Authenticator, Authy, 1Password and any TOTP app
• ● Encrypted backup codes : 10 single-use codes, stored encrypted in the database
• ● Password theft protection : a password alone is no longer enough to access the account

The infrastructure is hardened at every level: from the reverse proxy to user input validation.

• ● HTTPS Let's Encrypt : mandatory TLS encryption on all connections via Traefik
• ● Helmet + CSP : strict security headers (Content Security Policy, X-Frame-Options, HSTS)
• ● Shell escape : all SSH commands are escaped to prevent command injection
• ● Path validation : protection against path traversal and null bytes
• ● Container validation : strict Docker container name verification
• ● Masked env variables : sensitive values are masked in Docker details

Every action performed on IliaCloud is recorded in a detailed audit log, for compliance and investigation.

• ● Every action logged : all mutating operations (POST, PATCH, DELETE) are automatically recorded
• ● 16 categories : auth, server, docker, ssh, chat, backup, ssl, uptime, webhook, file, config, export, import, status-page, settings, audit
• ● IP + timestamp : each entry includes IP address, timestamp and request details (sensitive data masked)
• ● CSV export : export logs for external analysis and compliance reports

Code quality and security are continuously validated by automated tests and static analysis tools.

• ● 1,093 tests automated (796 backend + 297 frontend, Vitest + Playwright)
• ● SonarQube : 0 bugs, 0 vulnerabilities, 0 critical code smells
• ● OWASP Top 10 covered: injection, XSS, CSRF, broken auth, path traversal, and more