Security

Xisom is built for an industrial network and hardened against the OWASP Top 10. This page summarizes what protects your box and what you, as the operator, are responsible for.

Authentication

Two separate sign-in paths, split by purpose:

• Operators and admins sign in to the dashboard and API with a username and password and receive a JWT bearer token. Passwords are stored only as a BCrypt hash — never in plain text.
• Partner systems that call the external API use a static API key, sent in a request header and stored only as a BCrypt hash.

Protect the JWT signing secret

Each deployment has its own JWT signing secret, generated on the box at install time and stored in a protected file. Treat it like any other secret — never share or commit it. Rotating it signs everyone out, which is the intended effect.

Access control

• Deny by default. Every endpoint requires a signed-in user unless it is explicitly marked public. Forgetting to protect an endpoint does not expose it.
• Role-based. Admin-only actions (such as sending output test writes or managing keys) are gated to admin accounts.
• Only sign-in and the health check are reachable without authentication.

Brute-force protection

The login endpoint is rate-limited per source IP — repeated failed logins exhaust a short window, while normal use (and an operator with several tabs open) is not penalized. This is always on in production.

Hardened containers

• All service containers run as non-root users.
• The web frontend listens on an unprivileged port inside its container.
• Service images carry health checks so the platform can detect a sick service.

Secrets handling

• User passwords and API keys are stored only as BCrypt hashes.
• Connection-config secrets (datasource passwords, tokens) are masked as *** when read back; the stored value is retained when you save without changing it.
• API key values are shown to you once at creation — store them immediately.

Audit trail

Every login outcome (success and failure) and every external API call is recorded in the audit log, so you can review who accessed the system and when.

Production hardening checklist

For a production edge deployment, confirm:

• TLS termination at a reverse proxy in front of the dashboard and API.
• A strong, unique JWT signing secret per deployment (generated automatically by the installer).
• The interactive API explorer (Swagger) is disabled unless a partner integration needs it.
• Datasource connections use authenticated brokers / secured OPC-UA policies — not anonymous access.
• Regular backups of the data volume before any destructive operation.

Threat model

The platform is designed for an internal industrial network, not direct exposure to the public internet. Place it behind your plant network’s perimeter controls.

Reporting a vulnerability

Email security@xisom.ai for responsible disclosure.