# Security

> How Xisom protects access to your models, data, and operations — authentication, access control, hardened containers, and the audit trail.

Xisom is built for an industrial network and hardened against the OWASP Top 10. This
page summarizes what protects your box and what you, as the operator, are responsible
for.

## Authentication

Two separate sign-in paths, split by purpose:

- **Operators and admins** sign in to the dashboard and API with a username and
  password and receive a **JWT** bearer token. Passwords are stored only as a
  BCrypt hash — never in plain text.
- **Partner systems** that call the external API use a **static API key**, sent in a
  request header and stored only as a BCrypt hash.

**Protect the JWT signing secret**

Each deployment has its own JWT signing secret, generated on the box at install time
and stored in a protected file. Treat it like any other secret — never share or
commit it. Rotating it signs everyone out, which is the intended effect.

## Access control

- **Deny by default.** Every endpoint requires a signed-in user unless it is
  explicitly marked public. Forgetting to protect an endpoint does not expose it.
- **Role-based.** Admin-only actions (such as sending output test writes or managing
  keys) are gated to admin accounts.
- Only sign-in and the health check are reachable without authentication.

## Brute-force protection

The login endpoint is rate-limited per source IP — repeated **failed** logins exhaust
a short window, while normal use (and an operator with several tabs open) is not
penalized. This is always on in production.

## Hardened containers

- All service containers run as **non-root** users.
- The web frontend listens on an unprivileged port inside its container.
- Service images carry health checks so the platform can detect a sick service.

## Secrets handling

- User passwords and API keys are stored only as BCrypt hashes.
- Connection-config secrets (datasource passwords, tokens) are **masked as `***`**
  when read back; the stored value is retained when you save without changing it.
- API key values are shown to you **once** at creation — store them immediately.

## Audit trail

Every login outcome (success and failure) and every external API call is recorded in
the audit log, so you can review who accessed the system and when.

## Production hardening checklist

For a production edge deployment, confirm:

- TLS termination at a reverse proxy in front of the dashboard and API.
- A strong, unique JWT signing secret per deployment (generated automatically by the
  installer).
- The interactive API explorer (Swagger) is disabled unless a partner integration
  needs it.
- Datasource connections use authenticated brokers / secured OPC-UA policies — not
  anonymous access.
- Regular backups of the data volume before any destructive operation.

**Threat model**

The platform is designed for an internal industrial network, not direct exposure to
the public internet. Place it behind your plant network's perimeter controls.

## Reporting a vulnerability

Email **security@xisom.ai** for responsible disclosure.