Platform Security Architecture

Security is foundational to every CodeRaft product. This document describes the security architecture shared across EntraGuard, Ravenscan and RedFox Bastion.

Encryption

AES-256-GCM at rest

All sensitive data (credentials, API keys, tenant secrets, vault entries) is encrypted at rest using AES-256-GCM with unique nonces per record. Master keys are derived via PBKDF2 (600,000 iterations) and never stored in plaintext.

TLS 1.3 in transit

All external connections use TLS 1.3. Legacy TLS versions (1.0, 1.1) and weak cipher suites are disabled. HSTS is enforced with a 1-year max-age and includeSubDomains.

Internal service communication

Services communicate over Docker bridge networks. The RedFox API-to-proxy channel uses gRPC with mTLS. Only the Nginx reverse proxy is exposed externally.

Authentication

OIDC authentication

Authentication is delegated to Microsoft Entra ID via OIDC. MFA is inherited from IdP Conditional Access policies. SAML 2.0 federation is available in the Enterprise plan.

Admin MFA

Administrative actions (user management, settings changes, API key creation) require an additional MFA challenge via TOTP, even if the IdP session is already authenticated.

API key security

API keys are stored as SHA-256 hashes with timing-safe comparison. Keys are shown once at creation and cannot be retrieved afterwards. Rate limiting per key with configurable thresholds.

WORM audit logging

Every action across all CodeRaft products is recorded in an immutable, append-only audit log. Entries form a SHA-256 hash chain for tamper detection. The audit log cannot be modified or deleted by any user, including administrators. Compliant with SOC 2, ISO 27001, NIS2, NIST 800-53 and PCI DSS 4.0 audit trail requirements.

Container security

Non-root execution

All containers run as non-root users with read-only root filesystems. No privileged containers. Capabilities are dropped to the minimum required set.

Docker network isolation

Services run on isolated Docker bridge networks. Only the Nginx reverse proxy is exposed externally. Databases, Redis and internal APIs are not accessible from outside the stack.

Vulnerability scanning

CI pipeline runs Trivy on every image build. Critical and High CVEs block the release. Dependency auditing via cargo-deny (Rust), gosec (Go) and pip-audit (Python).

Network security

WAF integration

Nginx reverse proxy with ModSecurity Core Rule Set (CRS). Protects against OWASP Top 10 attacks: SQLi, XSS, path traversal, request smuggling. Rate limiting per IP and per API key.

Network segmentation

Docker network isolation between services. Only the reverse proxy is exposed externally. Databases, Redis and internal APIs are on isolated bridge networks.

IP allowlisting

Restrict access to the management UI and API by source IP range. Configurable in Settings → Security → Network.

SIEM integration

Forward audit logs, security events and findings to your SIEM in real-time:

Splunk
Microsoft Sentinel
Elastic / ELK
IBM QRadar
Syslog (RFC 5424)
Generic webhook

License security

  • License keys are RSA-2048 signed (PKCS1v15 SHA-256) and verified locally — no phone-home required after activation
  • License payloads include organization ID, product, features, max users and expiration
  • Offline validation supported for air-gapped environments
  • Tampered licenses are rejected with a clear error and audit log entry

Privacy

  • 100% on-premise — all data stays on your infrastructure. No cloud dependency, no data exfiltration risk
  • No telemetry — CodeRaft products send zero telemetry, analytics or usage data
  • Secret redaction — structured logging with automatic redaction of passwords, tokens and keys
  • Data minimization — only the data necessary for the audit/scan/session is collected

Security questions? Contact [email protected]. For Enterprise security features, reach out to [email protected].