Security

Authentication

JWT — all API requests require a valid token; configurable session expiry
bcrypt passwords — minimum 12 characters enforced
Forced password change on first login
Rate limiting — 10 failed login attempts in 5 minutes triggers a 15-minute lockout

TOTP / MFA

TOTP-based two-factor authentication compatible with Google Authenticator and any TOTP app.

Enable from Account Settings after logging in
QR code provisioning from the panel
Admin can enforce MFA for all operators

Multi-operator

Admin role — full access, user management, audit log, settings
Operator role — sessions, tasking, stager, reports — no admin panel

Create and delete operator accounts from Settings > Users.

IP Whitelist

Restrict panel access to specific IP addresses. Beacon endpoints always bypass the whitelist — beacons must be able to reach the server from any IP.

Configure from Settings > IP Whitelist.

Agent Secret Rotation

Rotate the shared beacon secret from Settings > Security. Active beacons receive the new secret on next check-in and update automatically. The old secret stays valid until all beacons have rotated.

Audit Log

Admin-only timestamped log of all security-relevant events:

LOGIN · LOGIN_FAIL · TASK_SENT · FILE_UPLOAD · AGENT_DELETED · USER_CREATED · USER_DELETED · PASSWORD_CHANGED · SECRET_ROTATED

Filterable by user, action type, and date range. Clearable by admin.

Webhook Notifications

Discord / Slack / any webhook alerts for configurable events:

New agent check-in
Operator login
Failed login attempt
Agent deleted
Task sent

Security Headers

All responses include: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security.