Security
What actually protects your account, your organization, and your money — stated plainly, including what's still on the roadmap.
Credentials
- Passwords are hashed with scrypt (per-user salt). Nobody at Project Ares can read them. Minimum 8 characters; common passwords rejected.
- API keys are stored as SHA-256 hashes. The plaintext exists exactly once — on your screen at creation. A leaked database cannot reproduce your keys.
- Provider credentials (Anthropic, OpenAI, AWS) live only in the server's config, are managed exclusively by staff owners, and are masked everywhere in the UI.
Sessions & the console
- Browser sessions are httpOnly, SameSite cookies backed by a server-side session table — revocable one by one from Settings, all at once on password change.
- Every mutating console request is CSRF-checked (per-session token + strict Origin verification).
- Strict Content-Security-Policy, frame-ancestors none, nosniff, and HSTS in production.
Abuse resistance
- Login throttling: 10 failed attempts per email (or 30 per IP) in 15 minutes locks sign-in for 15 minutes; bursts are flagged to staff.
- Rate limits per IP globally and per account on the model endpoint.
- Anomaly flags: request-rate spikes per IP/user surface on the staff network dashboard in seconds, with IP-level traffic history.
- Spend limits cap the blast radius of a leaked key — and revocation is instant.
Accountability
- An append-only audit trail records every sensitive action — sign-ups, role changes, key creation/revocation, plan changes, staff grants — with actor, target, IP, and time.
- Usage events record who ran what, on which key, from which IP.
- Staff actions are tiered (support → admin → owner) and themselves audited. Staff owners can't be disabled from the console, and the last staff owner can't be demoted.
Honest roadmap
Security claims rot fast, so here's what is not done yet:
- Email verification & password reset — needs an email provider; invite links are the current pattern.
- Two-factor authentication — planned (TOTP first).
- Real payments — billing runs in clearly-labeled sandbox mode until Stripe is wired.
- SSO / SAML — on the enterprise track.
Found something? Report it to the Project Ares team — security reports are read first and answered fastest.