Security
Hydron takes security seriously at every level — from account protection to data encryption to server hardening. This page covers the security features available to you and best practices.
Two-factor authentication (2FA)
Two-factor authentication adds an extra layer of security to your account. Even if someone knows your password, they can't sign in without your 2FA code.
Enabling 2FA
- Go to Settings > Security
- Click Enable Two-Factor Authentication
- Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Enter the 6-digit code from your authenticator to confirm
- Save your backup codes in a secure location
Using 2FA
After enabling 2FA, you'll be asked for a 6-digit code each time you sign in:
- Enter your email and password
- Open your authenticator app
- Enter the current 6-digit code
- Click Verify
Backup codes
When you enable 2FA, you receive one-time backup codes. These can be used if you lose access to your authenticator app:
- Each code can only be used once
- Store them in a secure location (password manager, printed copy in a safe)
- Generate new backup codes from Settings if you run out
Disabling 2FA
- Go to Settings > Security
- Click Disable Two-Factor Authentication
- Enter your current 2FA code to confirm
- 2FA is now disabled
Session management
Active sessions
View all your active sessions from Settings > Sessions:
- See which devices and browsers are signed in
- View IP addresses and locations
- See when each session was last active
- Sign out individual sessions or all sessions at once
Session security
Hydron protects your sessions with:
- Token rotation — Refresh tokens are rotated on each use
- IP validation — Sessions are tied to IP addresses (optional)
- User agent validation — Sessions are tied to browser fingerprints (optional)
- Automatic expiry — Inactive sessions expire after a set period
Data encryption
At rest
- Credentials — Server SSH keys and API credentials are encrypted with AES-256
- Environment variables — Sensitive values are encrypted before storage
- Passwords — Hashed with bcrypt/argon2 (never stored in plaintext)
In transit
- HTTPS everywhere — All connections use TLS 1.2 or 1.3
- SSH — Server communication uses SSH with key-based authentication
- API calls — All API traffic is encrypted
Server security
When Hydron provisions a server, it automatically applies security best practices:
| Security measure | Description |
|---|---|
| Firewall | UFW configured to allow only necessary ports |
| SSH hardening | Key-based auth only, root password login disabled |
| Fail2ban | Automatic IP blocking after failed login attempts |
| OS updates | Latest security patches applied during provisioning |
| Docker isolation | Applications run in isolated containers |
| HTTPS | Automatic SSL certificate provisioning |
Best practices
Account security
- Use a strong, unique password — At least 12 characters with mixed case, numbers, and symbols
- Enable 2FA — Adds significant protection against unauthorized access
- Use OAuth — Sign in with Google or GitHub for additional security
- Review sessions regularly — Sign out of devices you don't recognize
- Don't share credentials — Each team member should have their own account
Application security
- Use environment variables — Never hardcode secrets in your code
- Rotate secrets periodically — Change API keys and passwords regularly
- Limit SSH access — Only allow SSH from known IP addresses
- Keep dependencies updated — Regularly update your application dependencies
- Monitor logs — Check deployment and server logs for suspicious activity
Infrastructure security
- Don't expose unnecessary ports — Only expose ports that need public access
- Use internal networking — Services should communicate via internal networks, not public IPs
- Back up your data — Regularly back up databases and important data
- Monitor server resources — Unusual CPU or network usage may indicate a security issue