Security
Technical details about how HiveFlow protects your data and infrastructure.
Architecture Overview
┌─────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ Browser (React) │ Desktop (Electron) │ Extensions │
└──────────┬──────────────────┬──────────────────┬─────────┘
│ HTTPS/WSS + JWT │ │
▼ ▼ ▼
┌─────────────────────────────────────────────────────────┐
│ VERCEL CDN (app.hiveflow.ai) │
│ Static assets only — NO client data stored │
└──────────────────────────┬──────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ RAILWAY (api.hiveflow.ai) │
│ ┌──────────┐ ┌──────────┐ ┌───────────┐ ┌──────────┐ │
│ │ Auth MW │ │ Rate Lim │ │ CORS │ │ Credits │ │
│ └──────────┘ └──────────┘ └───────────┘ └──────────┘ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Flow Orchestrator + Processors │ │
│ └─────────────────────────────────────────────────┘ │
└───────┬──────────┬──────────┬──────────┬────────────────┘
│ │ │ │
▼ ▼ ▼ ▼
┌──────────┐ ┌───────┐ ┌────────┐ ┌────────┐
│ MongoDB │ │ Redis │ │ AWS │ │ E2B │
│ Atlas │ │ Cache │ │ S3 │ │Sandbox │
│(AES-256) │ │ (TLS) │ │(SSE-S3)│ │(microVM)│
└──────────┘ └───────┘ └────────┘ └────────┘
Encryption
At Rest
- ✓AES-256-GCM with PBKDF2-SHA512 key derivation (10,000 iterations)
- ✓Unique 16-byte random IV per encrypted value
- ✓16-byte authentication tag for integrity verification (GCM)
- ✓MongoDB Atlas native encryption (AWS EBS)
- ✓AWS S3 Server-Side Encryption (SSE-S3)
In Transit
- ✓TLS 1.2+ enforced on all API endpoints
- ✓WebSocket connections upgrade HTTPS → WSS
- ✓Authentication tokens sent post-connection (not in URL)
- ✓All third-party integrations over TLS
Authentication & Access Control
| Mechanism | Details | Status |
|---|---|---|
| JWT Bearer Tokens | Signed tokens, 24h sessions, validated on every request | Active |
| OAuth 2.0 | Google & GitHub SSO for web, desktop, and extensions | Active |
| MFA (OTP) | 6-digit code via email, 60s resend cooldown | Active |
| API Keys | hf_ prefix, bcrypt hashed, granular scopes (read/write/execute), expiration | Active |
| Enterprise SSO (SAML/OIDC) | Integration with corporate identity providers | Q3 2026 |
| TOTP (Authenticator) | Google Authenticator / Authy support | Q3 2026 |
Infrastructure Security
Network
- • CORS whitelist (static + dynamic)
- • WebSocket rate limiting (10 conn/IP, 5/user)
- • Credit-based execution limits
- • Stale connection cleanup (1h timeout)
- • Secure cookie flag in production
Code Execution
- • Isolated micro-VMs (E2B / Firecracker)
- • No server filesystem access
- • 5-minute execution timeout
- • Automatic sandbox cleanup
- • Concurrency limits (configurable)
Data Storage
- • MongoDB Atlas (dedicated cluster)
- • Connection pooling (5-50 connections)
- • Auto-retry for reads and writes
- • Credentials never stored in frontend
- • S3 signed URLs (24h expiration)
Monitoring
- • Winston logging (JSON + timestamps)
- • Real-time WebSocket log streaming
- • Zombie process detection
- • CPU/memory monitoring
- • Orphan process cleanup on startup
Credential Handling
1
User enters credentials (LLM API keys, OAuth tokens) through the UI
2
Credentials transmitted over TLS to backend API
3
Encrypted immediately with AES-256-GCM (unique IV + salt per value) before database storage
4
Decrypted only in-memory during workflow execution — never logged, never cached
5
UI only displays boolean status (hasCredentials: true/false) — actual values never sent to frontend
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@hiveflow.ai
- Please include steps to reproduce, impact assessment, and any suggested fixes.
- We commit to acknowledging reports within 48 hours.