shield SECURITY ARCHITECTURE

Enterprise-Grade Security.
Zero Compromises.

Security isn't a feature in TenzoShare — it's the foundation. Every layer of the stack is hardened with industry best practices, from password hashing to network isolation.

15+
Security Layers
256-bit
AES Encryption
Zero
Implicit Trust
7yr
Audit Retention
key
Authentication & Access Control
PASSWORDS

Argon2id Hashing

Memory-hard hashing with time=1, mem=64MB, threads=4, keylen=32 plus a server-side pepper stored as an environment variable.

Argon2idPepperMemory-hard
TOKENS

RS256 JWT

2048-bit RSA key pair. Access tokens expire in 15 minutes. Refresh tokens valid for 7 days. JTI revocation via Redis blacklist — logout and password change both invalidate the current token.

RS256RSA-2048JTI Revocation
MFA

TOTP MFA

Time-based One-Time Passwords via pquerna/otp. Full setup, verify, enable, and disable lifecycle. Compatible with any TOTP app (Google Authenticator, Authy, etc.).

TOTPRFC 6238App-Compatible
AUTHORIZATION

RBAC — Role-Based Access

Four built-in roles with fine-grained permissions enforced at every API endpoint.

admin
user
guest
auditor
LOCKOUT

Account Lockout

Automatic account lockout after N failed login attempts. Tracks failed_login_attempts and locked_until in the database.

Brute-Force Protection
API KEYS

API Key Management

SHA-256 hashed keys stored in the database. Raw key returned exactly once at creation time. Only the key prefix is shown in listings — never the full secret.

SHA-256One-time Reveal
lock
Encryption
AT REST

AES-256-GCM Encryption

Every file is encrypted on upload using AES-256 in Galois/Counter Mode. A cryptographically random 12-byte nonce is prepended to each ciphertext. Decryption happens transparently at download time — no manual key management for users.

# Encryption model
ciphertext = AES-256-GCM(plaintext, key, nonce=random(12))
stored = nonce || ciphertext
key = derived from master key per-file
AES-256-GCMRandom NonceAuthenticatedPer-file Keys
IN TRANSIT

TLS 1.3 Minimum

All API and web traffic enforced at TLS 1.3+. Optional mTLS available for inter-service communication between containers.

TLS 1.3mTLS Optional
DOWNLOAD TOKENS

Browser-Safe Tokens

Short-lived HS256 tokens for browser downloads. 15-minute expiry. No Authorization header needed for file delivery.

HS25615-min Expiry
speed
Rate Limiting
5 attempts
Login Rate Limit

5 login attempts per 15 minutes, per IP address. Redis INCR with TTL.

10 req / hr
Registration

10 registration requests per hour, per IP. Prevents mass account creation.

5 req / hr
Password Reset

5 password reset requests per hour, per IP. Prevents enumeration attacks.

10 uploads / hr
Guest Uploads

10 guest file uploads per hour, per IP. Prevents abuse of anonymous sharing.

100 req / min
Per-User Global

100 requests per minute per authenticated user, system-wide.

1,000 req / min
Per-IP Global

1,000 requests per minute per IP address across all endpoints.

http
HTTP Security Headers

Applied on All API Services & Nginx

Every response from TenzoShare includes a comprehensive set of security headers that protect against clickjacking, MIME sniffing, XSS, and information leakage.

check_circle
X-Frame-Options: DENY — prevents clickjacking
check_circle
X-Content-Type-Options: nosniff — stops MIME-type sniffing
check_circle
Referrer-Policy — controls referrer information leakage
check_circle
Permissions-Policy — restricts browser feature access
check_circle
Content-Security-Policy: default-src 'self' — XSS mitigation
check_circle
HSTS — HTTP Strict Transport Security enforced
check_circle
CORS — configurable CORS_ALLOWED_ORIGINS
middleware/stack.go
// Middleware stack on every protected service
router.Use(
middleware.SecurityHeaders,
middleware.CORS(cfg.AllowedOrigins),
middleware.JWTAuth(rsaPublicKey),
middleware.TokenRevocation(redisClient),
middleware.RequireRole(role),
middleware.RateLimit(redis, limits),
)

// No inter-service implicit trust
// Auth required at EVERY layer
fact_check
Audit & Compliance

Immutable Audit Trail

Every action in TenzoShare is recorded in an append-only, structured JSON audit log. The log is cryptographically tamper-evident and partitioned by date for efficient querying.

check_circle All auth attempts (login, MFA, password reset)
check_circle All file operations (upload, download, delete, share)
check_circle Admin actions and permission changes
check_circle Failed authorization attempts
check_circle Guest actions with IP, user-agent, and geo data
GDPR
EU Privacy
HIPAA
Healthcare
SOC 2
Trust Criteria
ISO 27001
Info Security
audit_log entry (JSON) WORM · Append-only 
{
  "id":          "01HX7K...",
  "timestamp":   "2026-05-02T14:23:11Z",
  "event":       "file.download",
  "actor":       "user:alice",
  "resource":    "file:Q9r3x...",
  "ip":          "203.0.113.42",
  "user_agent":  "Mozilla/5.0...",
  "geo":         "DE, Berlin",
  "result":      "success",
  "retention_until": "2033-05-02"
}
Admin portal — Audit Logs
Admin audit logs table
hub
Infrastructure & Network Security
router

Traefik v3 Gateway

TLS termination, intelligent routing, rate limiting, and health-check gating. Only the gateway is exposed externally.

lan

Docker Network Isolation

All services communicate on an isolated Docker network. No service is directly reachable from outside the host.

api

gRPC Inter-Service

No cross-service database queries. Data access only via gRPC. Eliminates lateral movement if one service is compromised.

admin_panel_settings

Admin API Isolation

Admin APIs are only accessible with an admin role JWT. Enforced by middleware.

Want a security review?

Our enterprise support includes a dedicated security onboarding, compliance review, and direct access to the core team.

mailContact Enterprise Support View Support Plans