Security

How NeonCodex protects your data

This page describes the security controls in place across the NeonCodex platform. Each control listed here has been implemented and verified in production. We update this page when controls change.

AES-256-GCM

Key encryption standard

TLS 1.3

Transport encryption

bcrypt / 12

Password hashing

15 minutes

JWT token lifetime

Data Encryption

Encryption in transit

All traffic is served over TLS 1.2 and TLS 1.3. Plaintext HTTP is redirected automatically.

Implemented

API key encryption at rest

User-supplied API keys (OpenAI, Anthropic, OpenRouter, Google) are encrypted with AES-256-GCM before being written to the database. Keys are decrypted only at execution time and never logged.

Implemented

Password hashing

Passwords are hashed using bcrypt with a work factor of 12. Plaintext passwords are never stored or logged.

Implemented

Authentication & Sessions

Short-lived JWT tokens

Access tokens expire after 15 minutes. Refresh tokens are used to issue new access tokens without re-authentication.

Implemented

Social login isolation

Accounts created via Google or GitHub cannot set a password unless explicitly configured. This prevents credential-stuffing on OAuth accounts.

Implemented

Account deletion with confirmation

Local accounts require password confirmation before deletion. Social accounts require re-verification via the OAuth provider.

Implemented

Brute Force & Rate Limiting

Implemented

Registration throttling

Account registration is limited to 3 requests per minute to prevent automated account creation.

Implemented

Password reset throttling

Forgot-password and reset-password endpoints are limited to 3 requests per hour per IP.

Implemented

Global API rate limiting

All authenticated API endpoints are subject to a global limit of 120 requests per minute.

Implemented

Access Control

Role-based access

Every API endpoint is protected by an authentication guard. Admin-only endpoints require a separate AdminGuard that validates the is_admin flag on the user record.

Implemented

Tenant isolation

All database queries scope data by organization ID and user ID. Cross-tenant data access is not possible through the API.

Implemented

BYOK key isolation

User-supplied API keys are stored per-user and are only accessible by the authenticated owner. Only a masked hint is shown in the UI.

Implemented

Infrastructure & Network

CORS policy

The API gateway only accepts cross-origin requests from neoncodex.io. Requests from other origins receive no CORS headers and are blocked by the browser.

Implemented

Content Security Policy

A strict CSP header is set on every response. It restricts script sources, disallows framing by third parties, and blocks form submissions to external origins.

Implemented

Clickjacking protection

X-Frame-Options is set to SAMEORIGIN. The CSP frame-ancestors directive independently enforces the same restriction.

Implemented

HSTS

HTTP Strict Transport Security is enforced with a max-age of 31536000 seconds (1 year), including subdomains.

Implemented

Environment file protection

Nginx blocks direct access to .env, .git, .htaccess, and related files with a 404 response. Environment variables are never exposed through the API.

Implemented

DDoS mitigation

NeonCodex is served behind Cloudflare, which provides network-level DDoS protection. Application-level rate limiting provides an additional layer.

Implemented

Code Execution & Input Safety

SQL injection prevention

All database queries use parameterized statements with positional placeholders ($1, $2, ...). Dynamic UPDATE statements use server-side field whitelists — no user input can become a column name.

Implemented

XSS prevention

AI-generated output rendered in the browser is HTML-escaped before injection. URLs sourced from AI output are validated against an allowlist of safe protocols before use in src or href attributes.

Implemented

Shell injection prevention

File archive inspection uses spawnSync with an argument array rather than shell string interpolation. Filenames are sanitized to alphanumeric characters before use.

Implemented

What we do not do

We do not sell your data

Your prompts, outputs, and uploaded files are never sold to third parties or used to train models without explicit consent.

We do not store API keys in plaintext

All user-supplied provider keys are encrypted with AES-256-GCM before being written to the database.

We do not log prompt content

Task prompts are stored in the database for your own history. They are not forwarded to analytics services or advertising networks.

We do not expose admin data to users

Endpoints that return usage statistics, user lists, or billing summaries require verified admin access and are not reachable by regular authenticated users.

Infrastructure

Network edge

Cloudflare

DDoS protection, TLS termination, bot mitigation

Web server

Nginx

Reverse proxy with hardened security headers

API

NestJS on Node.js

Containerised, no direct public port exposure

Database

PostgreSQL

Not accessible from outside the Docker network

Cache

Redis

Internal network only, LRU eviction policy

File storage

MinIO

Self-hosted S3-compatible object storage

Responsible Disclosure

If you discover a security vulnerability in NeonCodex, report it to us privately before making it public. We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 14 days.

Please include a clear description of the issue, steps to reproduce, and any relevant request or response data. Do not access, modify, or delete user data during your research.

[email protected]

Last updated: June 2026. This page reflects controls that are active in the current production environment.

Contact security team