Security

QueryGlow uses a defense-in-depth architecture with 9 security layers. Even if one layer fails, others keep your data safe.

Internet → HTTPS/SSL → Nginx → Basic Auth → CSRF Check → Safe Mode → QueryGlow (localhost) → SSH Tunnel → Database

9 Security Layers

1. HTTPS/SSL

Let's Encrypt TLS 1.2+

2. Nginx Proxy

Security headers, rate limiting

3. Basic Auth

bcrypt hashed, 10 rounds

4. Network Isolation

localhost:3000 only

5. Encryption at Rest

AES-256-GCM

6. CSRF Protection

Origin header validation

7. SQL Injection Prevention

Parameterized queries

8. SQLite Sandboxing

Path restricted to /app/data

9. CSV Sanitization

Formula injection protection

Core Security Features

Encryption at Rest

Database passwords and SSH private keys are encrypted using AES-256-GCM with scrypt key derivation before being written to disk. Decrypted only in memory during active connections.

GCM mode provides tamper detection—modified ciphertext fails to decrypt.

Network Isolation

The application binds to 127.0.0.1:3000 only. Not accessible from the internet—only the Nginx reverse proxy can reach it.

Even if firewall is misconfigured, the app itself refuses external connections.

Safe Mode (Default: ON)

Query Editor blocks dangerous operations: DROP TABLE,TRUNCATE, and mass DELETE/UPDATE.

Configure via QUERYGLOW_ALLOW_DESTRUCTIVE env var.

Rate Limiting

Nginx enforces rate limits to prevent abuse:

• Auth: 10 requests/minute (brute-force protection)
• AI: 30 requests/minute (cost protection)

What's Protected

✓ QueryGlow UI (Basic Auth)

✓ All API endpoints (Auth + CSRF)

✓ Database credentials (AES-256-GCM)

✓ SSH private keys (encrypted)

✓ HTTPS traffic (TLS 1.2+)

✓ Search engine indexing (blocked)

✓ SQL identifiers (injection-safe)

✓ CSV exports (formula sanitized)

Roadmap (v2.0): Two-factor authentication, IP whitelisting, and audit logging are planned for future releases.