Security is a core priority for MiraBridge. This page covers the security measures in place.
Authentication
- Argon2 password hashing — industry-standard memory-hard algorithm
- JWT tokens — short-lived access tokens with refresh rotation
- OAuth — GitHub and Google integration (tokens via postMessage, not URL params)
- Token revocation — JTI tracking for instant invalidation
Encryption
- AES-256-GCM — all sensitive data encrypted at rest
- TLS 1.3 — all data encrypted in transit
- API key encryption — BYOK keys are encrypted before storage
Rate Limiting
Three-bucket rate limiting protects against abuse:
- Auth bucket — login, register, token refresh
- AI bucket — chat requests, tool executions
- Default bucket — all other API endpoints
Attack Protection
- BOLA/IDOR — resource access scoped to authenticated user
- SSRF — URL validation prevents internal network access
- XSS — HTML escaping in all user-facing output
- SQL injection — parameterized queries via Prisma ORM
- Input validation — strict whitelist validation on all endpoints
Next Steps
- Data Privacy — GDPR compliance
- Enterprise — self-hosting for full control