Security

All traffic to DEVIX passes through Cloudflare Tunnel. This provides TLS encryption in transit, DDoS mitigation, and a Web Application Firewall (WAF) without exposing the server's IP address to the public internet.

Passwords are hashed using bcrypt at cost 12 before storage — plaintext passwords are never stored or logged. Sessions use cryptographically random tokens stored in the browser's sessionStorage (not cookies) and validated server-side on every request; they expire after inactivity. Two-Factor Authentication (2FA) via TOTP is available for all accounts.

All state-changing API requests require two separate tokens: a session token in the Authorization header and a per-session CSRF token in the X-CSRF-Token header. Both must be valid for any write operation to proceed, preventing Cross-Site Request Forgery attacks even if a session token is somehow obtained.

Login endpoints and sensitive API routes are protected by rate limiting. Repeated failed authentication attempts trigger a temporary lockout to prevent brute-force attacks.

All passwords are hashed with bcrypt (cost 12) before being written to the database. Password resets are handled via time-limited, single-use tokens sent to the registered email address.

Each business account has a dedicated SQLite database stored in a private directory. There is no shared data store between accounts. Every API request is validated against the authenticated account identifier before any database operation is performed, making cross-account data access impossible by design.

Uploaded files are validated by magic-byte inspection (not just file extension), rejecting files that do not match their claimed type. EXIF metadata is automatically stripped from JPEG images to prevent leakage of GPS coordinates or personally identifiable information. Only image formats (JPEG, PNG, WebP) are permitted.

All database queries use parameterized prepared statements. No dynamic SQL string concatenation with user-supplied input is used anywhere in the codebase. SQLite's strict type system provides an additional layer of protection.

All user-supplied data is HTML-escaped before being rendered in any HTML context. Output encoding is applied consistently throughout the platform. Content Security Policy headers further reduce the risk of Cross-Site Scripting attacks.

All outgoing Webhook payloads are signed with HMAC-SHA256 using a pre-shared secret key configured by the account owner. Receiving services can and should verify the signature on every incoming request to confirm the payload's authenticity and integrity.

All significant administrative actions — including logins, ticket status changes, team member changes, and account settings updates — are recorded in an immutable audit log. This log is accessible to the account owner and provides a full audit trail for compliance and security review purposes.

If you discover a security vulnerability in DEVIX, please report it responsibly by emailing [email protected] with a description of the issue. We do not currently operate a formal bug bounty program, but we take all security reports seriously and will respond promptly.