Ideon Logo
Ideon
GitHub

Security Model

Ideon secures requests at multiple layers: proxy, API route validation, database row level security in Postgres, and WebSocket authorization.

Proxy Security Headers

The proxy applies Content Security Policy, frame protection, and HSTS on HTTPS. It also sets a nonce for script tags.

Authentication and Authorization

  • Auth is handled by NextAuth with JWT sessions.
  • API routes enforce authentication with shared server utilities.
  • Admin endpoints require admin or superadmin roles.

Database Row Level Security

Postgres uses row level security policies to scope data access per user. Each request sets app.current_user_id before DB queries.

WebSocket Authorization

Realtime connections validate the user session and ensure the user has access to the requested project document.

SSRF Protection

Link previews validate URLs and block restricted destinations before fetching metadata.