ConsoleSentinel
Security Posture

Security is not a feature. It is the foundation.

ConsoleSentinel is built as a Tallawah-native, identity-anchored governance engine. Every layer — from authentication to infrastructure — is designed for hostile environments and enterprise-grade trust.

Identity & Access Control

ConsoleSentinel is Tallawah-native. All identity operations are delegated to the Tallawah CIAM platform — no exceptions, no fallbacks, no local overrides.

  • Tallawah CIAM is the exclusive identity provider
  • No local authentication or JWT creation
  • No local role or permission storage
  • No local session management
  • All tokens are Tallawah-issued and Tallawah-validated
  • OAuth 2.0 / OIDC standard flows
// Authentication flow
UserTallawah OIDCToken
API RequestTallawah VerifyProceed
// Zero local auth logic
signToken() → REMOVED
verifyToken() → REMOVED
localUserDB → REMOVED

Data Protection

Encryption in Transit

TLS 1.2+ enforced on all connections. HSTS headers with 1-year max-age.

Secrets Management

All secrets injected at runtime via environment variables. No secrets in source code or Docker images.

Tenant Isolation

Multi-tenant data isolation enforced at every query layer. Tenant ID derived from Tallawah claims.

No Data Retention

ConsoleSentinel does not store user data. Scan results are transient and owned by the customer.

Application Security

Every request is validated. Every response is sanitized. Every edge case is handled.

SSRF Protection

All outbound requests validated against private IP ranges, cloud metadata endpoints, and non-HTTP schemes.

Input Validation

Schema-validated request bodies, sanitized URL parameters, and typed query parameters at every API boundary.

Error Handling

Centralized error handler. No stack traces, file paths, or internal details exposed in production responses.

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on all responses.

Rate Limiting

IP-based and user-based sliding-window rate limiting with progressive throttling and automatic blocking.

Abuse Detection

Pattern-based abuse detection: suspicious user agents, repeat scan bursts, blocked domains, and automated flagging.

Infrastructure Security

  • Non-root Docker container runtime
  • Read-only filesystem where possible
  • Minimal base image (Playwright slim)
  • Multi-stage Docker build (no dev dependencies in runtime)
  • Automated dependency vulnerability scanning
  • Automated secret scanning in CI pipeline

Compliance & Governance

Threat Model

STRIDE-based threat model covering all system boundaries, data flows, and trust zones.

Audit Logging

Immutable, append-only audit logs for all identity events with 12-month retention.

Incident Response

Documented incident response plan: detect, contain, eradicate, recover, post-mortem.

Responsible Disclosure

Security researchers can report vulnerabilities to security@consolesentinel.dev.

Report a Vulnerability

Found a security issue? We take every report seriously. Please email us at security@consolesentinel.dev and we will respond within 24 hours.

We do not pursue legal action against good-faith security researchers.