Security & Trust

Security built into every layer

FreeSDN touches the gear that runs your business, so safety is the default, not a setting. Layered identity, fail-closed isolation, encrypted credentials, and a staged-write pipeline that refuses to change a device without double confirmation.

Defense in depth

Six layers, working together

Security in FreeSDN is a stack of controls, from identity to transport, each fail-closed by default rather than a single bolt-on feature.

Authentication

JWT sessions with refresh-token rotation and single-use claims, optional MFA, SSO (OIDC/SAML), and scoped API keys. Per-IP login rate limiting protects against credential stuffing.

Authorization

Five assignable RBAC roles (super_admin → viewer) in a strict hierarchy with fine-grained permissions and per-user site grants. Every API key carries a scope ceiling it can never exceed.

Multi-Tenancy

Application-layer, fail-closed tenant isolation across organization → site → device. Queries are scoped in the service layer; a CI gate makes a new un-classified tenant table un-mergeable.

Credential Safety

Device and integration credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), derived from a server secret. Secrets are redacted from logs, errors, and API responses.

Write Safety

Every device write rides a staged-change pipeline: stage → apply behind a dual gate (read-only flag + explicit force), with an atomic claim, full audit record, and saga-style rollback.

Transport & Hardening

HTTPS with HSTS, a strict same-origin Content-Security-Policy, trusted-proxy handling for the rate limiter, non-root containers, and SSRF protections on outbound requests.

The staged-write model

No change touches a device by accident

Reads are free; writes are deliberate. Every configuration change is staged first, then applied through a dual gate: a controller-level read-only flag and an explicit per-action force. Changes claim the device atomically, record a full audit entry, and roll back as a saga if anything fails.

  • Stage the change and preview the diff
  • Apply only with read-only off and force on
  • Atomic device claim prevents conflicting writes
  • Every action is audited; failures roll back
staged-change
POST /api/v1/.../stage      → change staged
GET  /api/v1/.../diff       → review the diff
POST /api/v1/.../apply
  ├─ ADAPTER_READ_ONLY=false ✓ (gate 1)
  ├─ force=true              ✓ (gate 2)
  ├─ claim(device)           ✓ atomic
  ├─ audit.record(actor,...) ✓
  └─ on error → saga.rollback()
An honest posture

What we claim, and what we don't

Trust starts with honesty. We tell you exactly where FreeSDN stands so you can make an informed decision, rather than marketing around the gaps.

FreeSDN is a pre-production / testing release: validate thoroughly before any production use.

No third-party security audit, external penetration test, or compliance certification (SOC 2, ISO 27001, HIPAA, PCI-DSS) is claimed.

Tenant isolation is application-layer and fail-closed. FreeSDN does not use PostgreSQL Row-Level Security.

Our process is automated tests plus internal adversarial review. It is rigorous, but not a substitute for an independent audit.

Responsible disclosure

Found something? Tell us first.

We welcome coordinated disclosure. If you believe you've found a security issue, please email us with details and steps to reproduce. Give us a reasonable window to remediate before any public disclosure.

Read the full security model

The docs cover authentication, authorization, multi-tenancy, the staged-write dual gate, and the audit record in depth.