Security
Last updated: 2026-06-01
otut.io is designed to be a trustworthy intermediary between your customers' browsers and the analytics vendors you use. Below is a summary of the controls in place.
Transport & encryption
- TLS 1.3 only (HSTS preload, 2-year max-age)
- Strict CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff
- Passwords hashed with bcrypt(cost=12)
- Database connections encrypted (TLS)
Webhook signing
Every call from Next.js to n8n is signed with HMAC-SHA256. The signature includes a timestamp and a unique nonce, both verified on the n8n side. Replay attacks are blocked via a 10-minute nonce window. Secret rotation is supported with zero downtime via N8N_PROXY_SECRET_PREVIOUS.
Authentication
- NextAuth.js v5 (Auth.js) with the Credentials provider
- JWT session, 8-hour expiry, 1-hour sliding refresh
- Login lockout: 5 failed attempts → 15-minute lock per email
- Role-based access:
customer,admin,super_admin - Cross-scope login blocked (customers can't sign in at
/admin)
Audit & rate limiting
- Every privileged action (container start/stop, plan change, admin user mgmt, bKash approval) is written to
audit_log - Per-user + per-endpoint rate limiting (Redis-backed, 60 req/min default)
- Per-IP rate limiting on auth endpoints
Reporting a vulnerability
Found a security issue? Email security@otut.io with details. We respond within 24 hours and credit reporters for valid findings.
Questions? Contact us.