Security

Built for least-trust

The security choices that shape every endpoint, secret, and session in KolayLogin.

Cryptographic posture

Per-app RSA-2048 keypairs. JWKS rotates on a 30-day cadence with a 24h overlap window.
Session JWTs are 60-second RS256 tokens. Long-lived sessions live in a rotating __client HttpOnly cookie.
RSA private keys, TOTP seeds, and webhook secrets are wrapped in AES-GCM with the workspace KEK.
Argon2id for password hashing (configurable cost). Pwned-password check against HIBP k-anonymity.

Network & transport

TLS 1.2+ enforced (1.3 preferred); HSTS + Secure cookies.
SameSite=Lax sessions. CORS allowlist per workspace.
Caddy reverse proxy for prod; X-Forwarded-Proto trust required.

Application controls

Per-route rate limits (Redis sliding window): auth, OTP, signup.
MFA factors: TOTP, passkeys (WebAuthn), backup codes, SMS OTP.
Stripe webhook idempotency; replay-safe event handlers.
Audit log on every privileged dashboard action.

Operational controls

Daily Postgres backups + off-site retention; restore drills quarterly.
Trivy vulnerability scan in CI; block on fixable CRITICAL/HIGH.
Read-only deploy keys for prod; SSH protected by ed25519 + IP allowlist.
Incident response runbook with 1h ack and 24h public-comms SLA for Sev-1.

Reporting a vulnerability

Email security@kolaylogin.com — we acknowledge within 24h. Coordinated disclosure preferred; we credit reporters in release notes once a fix ships.