Security Overview
NeXuS implements defense-in-depth security across authentication, networking, and application layers.
Security Layers
┌─────────────────────────────────────┐
│ 1. Cloudflare Edge │ DDoS, edge WAF, SSL
├─────────────────────────────────────┤
│ 2. Traefik Proxy │ TLS termination, routing
├─────────────────────────────────────┤
│ 3. Application WAF │ Request filtering, rules
├─────────────────────────────────────┤
│ 4. Auth Service │ JWT, bcrypt, rate limiting
├─────────────────────────────────────┤
│ 5. Network Isolation │ Internal-only databases
├─────────────────────────────────────┤
│ 6. Container Hardening │ Read-only FS, no-new-privs
└─────────────────────────────────────┘
Key Security Features
Authentication
- JWT access tokens (15min) + httpOnly refresh cookies (7 days)
- bcrypt password hashing (cost factor 12)
- Refresh token rotation — each token can only be used once
- Rate limiting on auth endpoints (20 req/15min)
Network
- Databases on internal-only Docker network (
internal: true) - No container ports exposed to host
- All traffic routes through Traefik reverse proxy
- CORS restricted to specific origins
Edge Protection
- Cloudflare DDoS protection
- Cloudflare edge WAF rules
- Full (Strict) SSL mode
- Proxied DNS records
Application
- WAF service for request filtering
- Input validation on all endpoints
- Container name sanitization in MCP tools
- Error messages don't leak internal details
Secrets
- Environment-based secret management
.envexcluded from version control- Unique passwords per database
- Cloudflare Service Tokens for MCP auth