Security Overview
Security architecture, best practices, and compliance information for the soft.house platform.
Security Architecture
soft.house is built with security as a foundational requirement, not an afterthought. Our architecture implements defense-in-depth across all layers.
Protocol Security
| Protocol | Security Mechanism | Purpose |
|---|---|---|
| AP2 | ECDSA Signatures | Mandate authentication |
| AP2 | Nonce Validation | Replay attack prevention |
| ACP | HMAC Verification | Webhook integrity |
| ACP | Bearer Token Scoping | Access control |
| TAP | Ed25519 PKI | Agent identity verification |
Infrastructure Security
- Cloudflare Workers โ Edge-deployed, DDoS protection included
- Supabase RLS โ Row-Level Security on all database tables
- KV-based Rate Limiting โ Per-user and per-IP limits
- HTTPS Only โ All traffic encrypted with TLS 1.3
- HSTS โ Strict Transport Security with preload
Authentication Security
API Keys
- Keys are hashed before storage (never stored in plaintext)
- Test and live keys are isolated environments
- Keys can be scoped to specific permissions
- Automatic key rotation reminders at 90 days
Session Security
- httpOnly cookies (not accessible via JavaScript)
- Secure flag (HTTPS only)
- SameSite=Lax (CSRF protection)
- 24-hour session expiration
Data Protection
- All data encrypted at rest (AES-256)
- All data encrypted in transit (TLS 1.3)
- Database backups encrypted
- PII access logged and audited
Rate Limiting
| Endpoint Category | Limit | Window |
|---|---|---|
| General API | 100 requests | Per minute, per user |
| Authentication | 5 attempts | Per 15 minutes, per IP |
| Mandate Creation | 10 mandates | Per hour, per user |
| Webhook Delivery | 50 retries | Per 24 hours, per endpoint |
Security Headers
All responses include security headers:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; ...Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly:
- Email: security@soft.house
- Do not disclose publicly until patched
- We aim to respond within 24 hours
- We do not pursue legal action for good-faith reports