🔒 OceanRemote Security Architecture
Enterprise-grade security for your IoT infrastructure
Defense in Depth
Multiple layers of security protect your devices, data, and infrastructure from unauthorized access.
Zero Trust Architecture
Every request is authenticated, authorized, and encrypted. No implicit trust between components.
Secure by Default
Security features are enabled out-of-the-box with no configuration required from users.
🖥️ Server Security
All traffic encrypted with TLS 1.3 + Let's Encrypt SSL. HTTP automatically redirects to HTTPS. HSTS headers force browsers to use secure connections.
Cloudflare proxy + Nginx rate limiting (20 req/sec for API, 5/min for login, 2/min for registration). Max 10 concurrent connections per IP.
Secret 43-character admin path (not /admin). Rate limited to 10 attempts per 15 minutes. Honeypot traps bots scanning common paths.
X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: same-origin, CSRF protection enabled on all forms.
Separate database user, connection pooling, and health checks. Passwords hashed with PBKDF2-SHA256 (260,000 iterations).
Automated daily backups ensure your data is safe and recoverable.
👤 Registration & User Security
Non-intrusive bot detection on registration form. Blocks automated account creation.
New accounts are inactive until user clicks confirmation link. Prevents bot account activation.
Prevents mass registration attacks. Each IP address has limited registration attempts.
Optional TOTP (Google Authenticator) support for enhanced account security.
HTTP-only, Secure cookies. Sessions auto-refresh every 60 minutes. CSRF protection on all forms.
Prevents password brute force attacks. Excess attempts blocked with HTTP 429.
📟 Device Security (ESP32/ESP8266)
All device-to-cloud communication encrypted. Certificate validation enabled.
24-hour expiry. Deleted after first use. Prevents device cloning.
Stored in NVS/Preferences (hashed). Used for all subsequent authentication.
Each session bound to device MAC address. Session ID + MAC required for authentication.
Firmware updates cryptographically signed. Devices verify signature before installing.
Hardware watchdog prevents device freezes. Auto-resets on malfunction.
WiFi configuration requires password. User sets custom AP credentials during firmware generation.
Prevents API abuse from compromised devices.
🔌 API Security
All API endpoints require valid user authentication. Unauthenticated requests return 401.
Users can only access their own devices. No cross-user data leakage.
HTML browsable API disabled in production. Reduces attack surface.
Prevents API abuse and DDoS attacks.
📊 Monitoring & Auditing
All security events logged: registrations, logins, token generation, device transfers, deletions.
Email notifications for registrations from known bot/datacenter IP ranges.
All admin access attempts logged with IP address and timestamp.
Fake admin paths (/admin, /wp-admin, etc.) log and block automated scanners.