Security at Flowtriq

Cryptography · Infrastructure · Access Control · Agent · Database · Staff Access · April 2026

Security is a core design constraint, not an afterthought. This page documents the specific technical controls Flowtriq applies across every layer of its platform.

Infrastructure

Cloudflare CDN & proxy — all traffic proxied before reaching origin

Cloudflare WAF & DDoS — unlimited mitigation capacity at the edge

Turnstile bot protection — on all forms and sensitive endpoints

Canada-hosted — primary servers and database in Canada

Directory listing disabled — no file enumeration possible

Cryptography

bcrypt + per-password salts — all passwords hashed with bcrypt (PHP password_hash)

HMAC-SHA256 webhook signing — all outbound webhooks signed; timestamp included to prevent replay

SHA-256 audit chain — each audit log entry hashes all fields plus the previous entry's hash

CSPRNG tokens — all API keys, CSRF tokens, and download tokens derived from random_bytes(32)

Timing-safe comparisons — hash_equals() used for all token and credential validation

Access Control

4-tier RBAC — Owner, Admin, Analyst, Readonly across every workspace

TOTP + email 2FA — both methods available for all accounts

Session fixation prevention — session_regenerate_id(true) on every login

Secure cookies — HttpOnly, SameSite=Lax, Secure, strict mode enforced

CSRF protection — 32-byte random tokens on all state-changing requests

Audit Logging

SHA-256 hash chain — every entry includes prev_hash + all current fields hashed together; chain breakage is detectable

Complete coverage — logins, role changes, API key events, config changes, mitigation actions

Indefinite retention — no automatic expiry; pseudonymised on account deletion

Offline verification — chain integrity verifiable without Flowtriq involvement

CSV / JSON export — for SIEM, auditors, and compliance submissions

Application Security

HSTS — max-age 1 year, includeSubDomains; forces HTTPS sitewide

Content Security Policy — strict allowlist for scripts, styles, frames, and connections

X-Frame-Options: SAMEORIGIN — clickjacking protection

X-Content-Type-Options: nosniff — MIME sniffing blocked

Rate limiting — brute-force protection on login; per-token rate limits on the API

Agent Security

Outbound-only — agent pushes data via HTTPS POST; no inbound ports required on monitored servers

Per-node Bearer tokens — unique 64-char hex key per node; rotatable at any time

Circuit breaker — 5 consecutive API failures triggers open state; auto-recovers after 60s

PCAP is opt-in — disabled by default; enabled per node at customer's discretion

Open source audit — ftagent-lite is MIT-licensed and publicly auditable on GitHub

Penetration Testing

Tested by Lorikeet Security

Flowtriq conducts annual penetration testing of its platform in partnership with Lorikeet Security. Testing covers the web application, API endpoints, authentication flows, and agent communication channels. Findings are remediated before deployment and verified in follow-up testing.

Pen test reports and attestation letters are available to enterprise customers under NDA. Contact [email protected] to request access.

Cryptography in Detail

What	Algorithm / Method	Purpose
User passwords	bcrypt via PHP `password_hash()` — adaptive cost factor, unique salt embedded per hash	Passwords are never stored in plaintext or in a reversible form. Even if the database were accessed, individual passwords cannot be recovered without brute-force against bcrypt's intentionally slow hashing.
All tokens (API keys, CSRF tokens, PCAP download tokens, email verification codes)	`bin2hex(random_bytes(32))` — 256 bits of entropy from the operating system's CSPRNG	All tokens are cryptographically random. Guessing or enumerating them is computationally infeasible.
Token and credential comparison	PHP `hash_equals()` — constant-time comparison	Prevents timing attacks where an attacker could guess characters one by one by measuring response time differences.
Outbound webhook payload signing	HMAC-SHA256 over the request body; `X-Flowtriq-Signature: sha256=<sig>` and `X-Flowtriq-Timestamp` headers included	Receiving systems can verify that a webhook was sent by Flowtriq and has not been tampered with in transit. The timestamp prevents replay attacks.
Audit log integrity chain	SHA-256 hash of all fields in an entry concatenated with the previous entry's hash. Chain originates from a zero hash.	Any modification or deletion of an audit log entry breaks the chain. Integrity is verifiable offline by recomputing hashes without requiring Flowtriq's involvement.
All data in transit	TLS — HSTS with max-age=31536000, includeSubDomains	All communication between browsers, the ftagent, and the Flowtriq platform is encrypted. HTTP connections are permanently redirected to HTTPS.

Agent Architecture & Security

Outbound-only data model

The ftagent communicates exclusively by pushing data outbound to the Flowtriq API via HTTPS POST. The Flowtriq platform never initiates connections to monitored servers. This means:

No inbound firewall ports need to be opened on monitored servers for Flowtriq to function
The attack surface on monitored infrastructure is zero — there is no listener for Flowtriq to exploit
Network firewalls can be configured to allow only the specific outbound HTTPS connection to the Flowtriq API

What the agent transmits

Data Type	Endpoint	Contents
Metrics	POST /api/v1/agent/metrics	Per-second aggregate counters: packets per second, bits per second, TCP/UDP/ICMP percentage breakdown, connection count. No payload content, no IP lists, no application data.
Incident report	POST /api/v1/agent/incidents	Attack family, severity, confidence score, peak PPS/BPS, estimated source IP count, geographic and ASN distribution (percentages, not raw IP lists), spoofing/botnet flags.
Incident updates	POST /api/v1/agent/incidents/{uuid}	Status updates (escalation, mitigation actions) during an ongoing incident.
PCAP upload (opt-in)	POST /api/v1/agent/incidents/{uuid}/pcap	Packet capture files from the ring buffer. Chunked at 2 MB per request. Contains IP header data from the customer's network. Only transmitted when PCAP capture is enabled for the node by the customer.
Configuration fetch	GET /api/v1/agent/config	Agent retrieves its own node configuration (thresholds, rules, IOC patterns) from the API. Authenticated with Bearer token.

Resilience

The agent implements a circuit breaker for API communication: after 5 consecutive failed API calls, the circuit opens and the agent pauses transmissions for 60 seconds before retrying. During an open circuit, the agent continues monitoring and detecting locally — detection, local mitigation, and BGP escalation all remain fully operational regardless of API connectivity. This means a Flowtriq platform outage does not disable your DDoS protection.

Database & Storage Security

Database

Localhost-only binding — the database is bound to localhost and is not accessible over the network. There is no exposed database port.
Parameterized queries throughout — all database queries use PDO with ATTR_EMULATE_PREPARES = false, meaning true server-side prepared statements are used. This eliminates SQL injection as an attack class.
Dedicated limited-privilege database user — the application connects with a service account scoped to only the permissions required for normal operation.
Passwords stored as bcrypt hashes — even with full database read access, user passwords are not recoverable.

PCAP file storage

Stored outside the web root — PCAP files are stored on the filesystem outside the publicly accessible document root. They cannot be accessed by guessing a URL.
Time-limited download tokens — each PCAP download requires a cryptographically random 64-character token that expires after 24 hours.
Tenant ownership enforced — the download handler verifies that the requesting session's workspace matches the PCAP's owning workspace before serving the file.
Path traversal prevention — realpath() validation confirms the resolved file path is within the permitted storage directory before any file operation.

Sensitive file protection

Files with extensions .env, .bak, .sql, .log, .ini are blocked at the web server level and return HTTP 403.
Internal application directories (/config/, /lib/) are blocked from direct browser access via rewrite rules.
Directory listing is disabled globally.

Session & Authentication Security

Control	Implementation
Session fixation prevention	`session_regenerate_id(true)` is called on every successful login, destroying the pre-authentication session ID and issuing a new one.
Secure session cookies	HttpOnly (inaccessible to JavaScript), Secure (HTTPS-only transmission), SameSite=Lax (cross-site request protection), strict mode (unknown session IDs rejected).
Session timeout	Sessions expire after 30 days of inactivity. Sessions are explicitly destroyed on logout, with the cookie cleared.
CSRF protection	All state-changing requests require a per-session CSRF token generated from `random_bytes(32)` and validated with `hash_equals()`.
Brute-force protection	Login attempts are rate-limited per IP address. Accounts are not enumerated in error messages — the same response is returned for an unknown email as for a wrong password.
Multi-factor authentication	TOTP authenticator app (RFC 6238) and email-based one-time codes. Available on all accounts; enforced at workspace level when required by the workspace owner.
Webhook URL validation	Outbound webhook destinations are validated to be HTTPS-only. Private IP ranges and loopback addresses are blocked to prevent server-side request forgery (SSRF).

Staff Access to Customer Data

Flowtriq staff do not access customer workspace data in the normal course of business operations. Access to production customer data by Flowtriq personnel occurs only in the following circumstances:

At a customer's explicit request — for example, when a customer contacts support to troubleshoot an issue and grants permission for Flowtriq staff to inspect relevant records.
To comply with a lawful legal request — such as a valid court order, subpoena, or law enforcement demand that Flowtriq is legally obligated to fulfil.

Customer data is encrypted or hashed wherever possible, and access is strictly minimal. All staff access to production systems is logged in the audit trail.

Data requests: To submit a lawful data request or to understand how Flowtriq responds to law enforcement, contact [email protected].

HTTP Security Headers

Header	Value	Purpose
Strict-Transport-Security	max-age=31536000; includeSubDomains	Forces HTTPS for one year across all subdomains.
Content-Security-Policy	Explicit source allowlist	Restricts script, style, font, image, frame, and connection sources. Blocks inline injection attacks.
X-Frame-Options	SAMEORIGIN	Prevents embedding in third-party iframes. Mitigates clickjacking.
X-Content-Type-Options	nosniff	Prevents MIME-type sniffing.
Referrer-Policy	strict-origin-when-cross-origin	Limits referrer data sent to third-party origins to the origin only.
Permissions-Policy	camera=(), microphone=(), geolocation=(), payment=(self)	Disables camera, microphone, and geolocation browser APIs.
TDM-Reservation	1	Text and data mining reservation (EU DSM Directive 2019/790 Art. 4).

Vulnerability Disclosure

Flowtriq welcomes responsible disclosure of security vulnerabilities. Please report before publishing publicly so we can investigate and remediate first.

Step	What to expect
Submit	Email [email protected] with a description, reproduction steps, and any relevant evidence.
Acknowledgement	Within 2 business days.
Investigation	We reproduce the issue, assess severity, and keep the reporter updated throughout.
Remediation	Critical and high-severity issues are prioritised. We communicate the fix timeline.
Disclosure	Coordinated with the reporter. Researchers are credited if they wish to be.

Scope: flowtriq.com and subdomains, the Flowtriq REST API, the ftagent binary, and ftagent-lite. Out of scope: social engineering, DoS attacks against Flowtriq infrastructure, third-party services.