<!-- llms-txt: https://hydron.app/llms.txt -->
<!-- llms-full-txt: https://hydron.app/llms-full.txt -->
<!-- canonical: https://hydron.app/docs/security -->

# Security

Hydron takes security seriously at every level — from account protection to data encryption to server hardening. This page covers the security features available to you and best practices.

## Two-factor authentication (2FA)

Two-factor authentication adds an extra layer of security to your account. Even if someone knows your password, they can't sign in without your 2FA code.

### Enabling 2FA

1. Go to **Settings** > **Security**
2. Click **Enable Two-Factor Authentication**
3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
4. Enter the 6-digit code from your authenticator to confirm
5. Save your **backup codes** in a secure location

### Using 2FA

After enabling 2FA, you'll be asked for a 6-digit code each time you sign in:

1. Enter your email and password
2. Open your authenticator app
3. Enter the current 6-digit code
4. Click **Verify**

### Backup codes

When you enable 2FA, you receive one-time backup codes. These can be used if you lose access to your authenticator app:

- Each code can only be used once
- Store them in a secure location (password manager, printed copy in a safe)
- Generate new backup codes from Settings if you run out

### Disabling 2FA

1. Go to **Settings** > **Security**
2. Click **Disable Two-Factor Authentication**
3. Enter your current 2FA code to confirm
4. 2FA is now disabled

## Session management

### Active sessions

View all your active sessions from **Settings** > **Sessions**:

![Account settings with security and profile management options](/images/docs/account-settings.png)

- See which devices and browsers are signed in
- View IP addresses and locations
- See when each session was last active
- **Sign out** individual sessions or all sessions at once

### Session security

Hydron protects your sessions with:

- **Token rotation** — Refresh tokens are rotated on each use
- **IP validation** — Sessions are tied to IP addresses (optional)
- **User agent validation** — Sessions are tied to browser fingerprints (optional)
- **Automatic expiry** — Inactive sessions expire after a set period

## Data encryption

### At rest

- **Credentials** — Server SSH keys and API credentials are encrypted with AES-256
- **Environment variables** — Sensitive values are encrypted before storage
- **Passwords** — Hashed with bcrypt/argon2 (never stored in plaintext)

### In transit

- **HTTPS everywhere** — All connections use TLS 1.2 or 1.3
- **SSH** — Server communication uses SSH with key-based authentication
- **API calls** — All API traffic is encrypted

## Server security

When Hydron provisions a server, it automatically applies security best practices:

| Security measure | Description |
|-----------------|-------------|
| **Firewall** | UFW configured to allow only necessary ports |
| **SSH hardening** | Key-based auth only, root password login disabled |
| **Fail2ban** | Automatic IP blocking after failed login attempts |
| **OS updates** | Latest security patches applied during provisioning |
| **Docker isolation** | Applications run in isolated containers |
| **HTTPS** | Automatic SSL certificate provisioning |

## Best practices

### Account security

- **Use a strong, unique password** — At least 12 characters with mixed case, numbers, and symbols
- **Enable 2FA** — Adds significant protection against unauthorized access
- **Use OAuth** — Sign in with Google or GitHub for additional security
- **Review sessions regularly** — Sign out of devices you don't recognize
- **Don't share credentials** — Each team member should have their own account

### Application security

- **Use environment variables** — Never hardcode secrets in your code
- **Rotate secrets periodically** — Change API keys and passwords regularly
- **Limit SSH access** — Only allow SSH from known IP addresses
- **Keep dependencies updated** — Regularly update your application dependencies
- **Monitor logs** — Check deployment and server logs for suspicious activity

### Infrastructure security

- **Don't expose unnecessary ports** — Only expose ports that need public access
- **Use internal networking** — Services should communicate via internal networks, not public IPs
- **Back up your data** — Regularly back up databases and important data
- **Monitor server resources** — Unusual CPU or network usage may indicate a security issue