Security
Architecture
Defense-in-depth from the network edge to the storage layer. Six independent security layers — each one designed to hold even if the others are compromised.
Six Defense Layers
Each layer operates independently. Together they form a stack that no single breach can bypass.
Authentication
Cryptographic request signing with per-agent API keys. Every request authenticated with timestamp and nonce to prevent replay. Keys hashed at rest — never stored in plaintext.
- ▸Cryptographic request signing
- ▸Timestamp + nonce replay prevention
- ▸Per-agent key rotation
- ▸Zero plaintext key storage
Encryption
Military-grade authenticated encryption for all sensitive data at rest. Per-organization encryption isolation. Unique initialization vectors per operation. TLS for all data in transit.
- ▸Authenticated encryption at rest
- ▸Per-organization key isolation
- ▸Unique IV per operation
- ▸TLS for all API traffic
Audit Integrity
Cryptographically-chained audit logs. Every entry is hash-linked to the previous one. Tampering with any record breaks the chain and triggers immediate detection.
- ▸Hash-chained log entries
- ▸Independent verification endpoint
- ▸Tamper detection alerts
- ▸Immutable append-only structure
Input Validation
Schema-validated inputs at every API boundary. Type-safe validation ensures no unvalidated data reaches business logic. Injection attacks stopped at the edge.
- ▸Schema validation on all endpoints
- ▸Parameterized database queries
- ▸Content sanitization
- ▸Path traversal prevention
Rate Limiting
Multi-tier adaptive rate limiting: per-IP, per-organization, per-agent. Higher-risk endpoints receive stricter limits. Automatic escalation on abuse detection.
- ▸Multi-tier rate limiting
- ▸Per-IP and per-org isolation
- ▸Adaptive thresholds
- ▸Abuse auto-escalation
Secrets Isolation
All secrets injected at runtime from secure environment configuration. No secrets in code, config files, or version control. Derived keys ensure no raw secrets are stored.
- ▸Runtime secret injection
- ▸Zero secrets in source control
- ▸Derived key architecture
- ▸Environment-isolated configuration
OWASP Top 10 Coverage
Every category addressed with implemented, tested mitigations — not theoretical checkboxes.
Broken Access Control
Organization-scoped queries, resource-level authorization, dual authentication layers
Cryptographic Failures
Authenticated encryption at rest, TLS in transit, cryptographic key hashing
Injection
Parameterized queries, schema validation, content sanitization, no dynamic command construction
Insecure Design
Threat modeling per feature, defense-in-depth, fail-closed defaults, formal verification
Security Misconfiguration
Hardened HTTP headers, CORS allowlisting, CSP enforcement, no default credentials
Vulnerable Components
Automated dependency scanning, lockfile integrity checks, minimal dependency surface
Auth Failures
Token expiration, refresh rotation, cryptographic password hashing, timing-safe comparison
Data Integrity Failures
Chained audit logs, request signing, CI/CD pipeline integrity, signed deployments
Logging & Monitoring
Structured logging, full action audit trail, anomaly detection, security event alerting
SSRF
URL allowlisting, private IP blocking, no user-controlled proxy targets
Responsible Disclosure
If you discover a security vulnerability in OnLeash, please report it responsibly. We commit to acknowledging reports within 24 hours and providing a fix timeline within 72 hours.
Email: onleash@protonmail.com
See our security policy for full responsible disclosure guidelines.
Security You Can Verify
Tamper-proof audit logs with independent verification. Full transparency.
Deploy Secure Governance