Security

Last updated: 2026-06-01

otut.io is designed to be a trustworthy intermediary between your customers' browsers and the analytics vendors you use. Below is a summary of the controls in place.

Transport & encryption

  • TLS 1.3 only (HSTS preload, 2-year max-age)
  • Strict CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff
  • Passwords hashed with bcrypt(cost=12)
  • Database connections encrypted (TLS)

Webhook signing

Every call from Next.js to n8n is signed with HMAC-SHA256. The signature includes a timestamp and a unique nonce, both verified on the n8n side. Replay attacks are blocked via a 10-minute nonce window. Secret rotation is supported with zero downtime via N8N_PROXY_SECRET_PREVIOUS.

Authentication

  • NextAuth.js v5 (Auth.js) with the Credentials provider
  • JWT session, 8-hour expiry, 1-hour sliding refresh
  • Login lockout: 5 failed attempts → 15-minute lock per email
  • Role-based access: customer, admin, super_admin
  • Cross-scope login blocked (customers can't sign in at /admin)

Audit & rate limiting

  • Every privileged action (container start/stop, plan change, admin user mgmt, bKash approval) is written to audit_log
  • Per-user + per-endpoint rate limiting (Redis-backed, 60 req/min default)
  • Per-IP rate limiting on auth endpoints

Reporting a vulnerability

Found a security issue? Email security@otut.io with details. We respond within 24 hours and credit reporters for valid findings.

Questions? Contact us.