HelloJohn / docs
Security

Security

How HelloJohn protects your users and your data — from password hashing to token signing, rate limiting, and vulnerability disclosure.

Security

HelloJohn is built with security as a first-class concern. This page summarizes the security model, default behaviors, and configuration options.

Threat model

HelloJohn protects against:

ThreatMitigation
Password theftArgon2id hashing, never stored in plaintext
Token forgeryEd25519-signed JWTs, short TTL (15 min)
Credential stuffingRate limiting, lockouts, breach detection
Session hijackingRefresh token rotation, IP/UA binding (optional)
Replay attacksShort-lived tokens, nonce tracking for magic links
Brute forceExponential backoff after failed attempts
CSRFSameSite=Lax cookies, CORS origin validation
Bot sign-upsConfigurable bot detection (Turnstile, hCaptcha, custom)
PhishingMFA, passkeys, SAML SSO
Supply chainMinimal dependencies, signed release artifacts

Password security

HelloJohn uses Argon2id to hash passwords — the winner of the Password Hashing Competition, recommended by OWASP and NIST.

Default parameters:

algorithm: Argon2id
memory:    64 MB
iterations: 3
parallelism: 2
salt length: 16 bytes (random per password)
hash length: 32 bytes

These parameters are tuned to take approximately 100ms on modern hardware — fast enough for good UX, slow enough to be computationally expensive to crack.

Passwords are never logged, never stored in plaintext, and never returned in API responses.

See Password Policy for configuring minimum strength requirements.

Token security

Access tokens

  • Format: JSON Web Token (JWT)
  • Algorithm: EdDSA (Ed25519) by default; HS256 supported
  • TTL: 15 minutes (configurable)
  • Verification: Stateless — verify via JWKS, no network call per request
  • Contents: sub, email, tenant_id, org_id, role, iat, exp

Refresh tokens

  • Format: Opaque 256-bit random string
  • Storage: Hashed with SHA-256 in PostgreSQL (never stored raw)
  • TTL: 30 days (configurable)
  • Rotation: Every use issues a new refresh token and invalidates the old one
  • Family tracking: Reuse of an old token immediately revokes the entire token family
  • Format: Opaque 128-bit random string
  • TTL: 15 minutes (configurable)
  • Single-use: Token is invalidated immediately after first use
  • Rate limited: 5 requests per email per 10-minute window

JWKS endpoint

Public keys for JWT verification are available at:

GET /.well-known/jwks.json

Cache the response with the Cache-Control max-age header (typically 1 hour). Keys are rotated on a schedule; the JWKS endpoint always serves all currently valid keys.

Session security

FeatureDefaultConfiguration
Refresh token rotation✓ enabledREFRESH_TOKEN_ROTATION
Token family revocation✓ enabledAlways on
IP binding✗ disabledSESSION_BIND_IP=true
User agent binding✗ disabledSESSION_BIND_UA=true
Concurrent session limitunlimitedSESSION_MAX_CONCURRENT

IP binding rejects refresh token use from a different IP than the one that obtained it. Useful for high-security environments, but causes issues for mobile users on changing networks.

Email security

  • Magic link tokens are single-use and expire in 15 minutes
  • Email verification links expire in 24 hours
  • Password reset links expire in 1 hour
  • All tokens are generated with crypto/rand (CSPRNG)
  • Email sending uses SMTP with STARTTLS or TLS

Transport security

  • HelloJohn itself only serves HTTP — TLS is terminated at the reverse proxy
  • All external integrations (SMTP, OAuth providers, webhooks) use TLS
  • Webhook payloads are signed with HMAC-SHA256

Cryptographic randomness

All tokens, secrets, and nonces are generated using crypto/rand — the OS-provided cryptographically secure pseudorandom number generator (CSPRNG). math/rand is never used for security-sensitive values.

Dependencies

HelloJohn minimizes its dependency tree to reduce supply chain risk. Key dependencies:

PackagePurpose
golang.org/x/cryptoArgon2id, Ed25519, bcrypt
github.com/lestrrat-go/jwx/v2JWT creation and verification
github.com/jackc/pgx/v5PostgreSQL driver
github.com/go-redis/redis/v9Redis client

All dependencies are pinned with go.sum checksums. Release artifacts are signed with Cosign.

Compliance

HelloJohn is designed to help you achieve compliance with:

  • SOC 2 Type II — Audit logs, MFA, access controls, encryption at rest (your DB)
  • GDPR — User deletion, data export, consent management
  • HIPAA — Audit logs, MFA enforcement, session timeout, encryption
  • ISO 27001 — Access control policies, audit trails, incident response

HelloJohn Cloud holds a SOC 2 Type II report. Contact security@hellojohn.dev for a copy under NDA.

Next steps

Password Policy

Configure minimum password strength requirements

Rate Limiting

Protect against brute force and credential stuffing

Bot Detection

Integrate CAPTCHA and bot protection

Key Rotation

Rotate JWT signing keys without downtime

Vulnerability Disclosure

Report security vulnerabilities responsibly

Exporting Audit Logs

Export HelloJohn audit logs to CSV, JSON, or forward to SIEM systems for compliance and security monitoring.

Password Policy

Configure minimum password strength requirements, breach detection, and password change policies in HelloJohn.

On this page

SecurityThreat modelPassword securityToken securityAccess tokensRefresh tokensMagic link tokensJWKS endpointSession securityEmail securityTransport securityCryptographic randomnessDependenciesComplianceNext steps