| Version | Supported |
|---|---|
| 2.x | β Yes |
| 1.x | β No |
This project implements the following security measures:
- BCrypt password hashing (cost factor 12)
- Session-based authentication with secure tokens
- TOTP-based Two-Factor Authentication (2FA)
- Login throttling (5 failed attempts β 15 minute lockout)
- Rate limiting (10 requests/minute per IP)
- All database queries use prepared statements (SQL injection prevention)
- AES-256-GCM encryption for payment API keys in database
- Input validation and sanitization
- XSS protection via Content Security Policy headers
- 2FA secrets excluded from API responses
- HMAC-SHA256 session token signing
- Webhook signature verification (Shopier HMAC-SHA256)
- Configurable CORS origin policy
- HTTPS/SSL support (Cloudflare Origin Certificates)
- Server-side key storage (keys never leave server)
- IP/HWID-based validation with auto-lock
- Grace period with SHA-256 hash integrity
- Kill switch for unauthorized usage
- Backup server failover with
valid:trueverification
IMPORTANT: Never commit real credentials. Use environment variables in production.
| Variable | Purpose | Required |
|---|---|---|
DB_HOST |
MySQL host | Yes |
DB_PORT |
MySQL port | No (default: 3306) |
DB_NAME |
Database name | No (default: barron_licenses) |
DB_USER |
Database username | Yes |
DB_PASS |
Database password | Yes |
BARRON_ENCRYPTION_KEY |
AES encryption passphrase for payment keys | Recommended |
If you discover a security vulnerability, please:
- DO NOT open a public issue
- Open a private security advisory on GitHub
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We will respond within 48 hours.
- Use HTTPS β Always deploy behind HTTPS (Cloudflare or direct SSL)
- Strong MySQL password β Use complex passwords
- Set environment variables β Never use default secrets in production
- Firewall β Only expose necessary ports (default API: 8000, Web: 8080)
- Regular backups β Enable load balancer replication
- Monitor logs β Check for suspicious activity