Security Built Into
Every Layer
PageSpace uses opaque session tokens, per-event authorization, and distributed rate limiting to protect your data at every step.
Opaque Session Tokens
Unlike JWTs that can be decoded by anyone, PageSpace uses opaque tokens with hash-only storage for maximum security.
Hash-Only Storage
We never store your actual session token—only a SHA-256 hash. Even if our database were compromised, attackers couldn't use the hashes.
- 256 bits of entropy per token
- SHA-256 one-way hashing
- Stateful validation on every request
Instant Revocation
Sessions can be revoked immediately—no waiting for token expiration. Password changes invalidate all existing sessions.
- Revoke individual sessions or all sessions
- Token versioning on password change
- Admin role versioning prevents privilege escalation
Per-Event WebSocket Authorization
Real-time collaboration doesn't mean relaxed security. Every write operation is authorized in real-time.
Write Authorization
Document updates, file uploads, and task changes are re-authorized on every event—not just at connection time.
Short-Lived Tokens
Socket tokens expire in 5 minutes, limiting exposure if intercepted. Connection requires fresh authentication.
Signed Broadcasts
Inter-service communication uses HMAC-SHA256 signatures with timestamp validation to prevent replay attacks.
Distributed Rate Limiting
Protection against brute force attacks with rate limiting that persists across restarts and IP changes.
- Login protection
5 attempts per 15 minutes, per IP and per email
- Account lockout
15-minute lockout after 10 failed attempts (database-backed)
- Signup throttling
3 signups per hour to prevent abuse
Why Database-Backed Lockout?
Lockout state isn't lost when servers restart
Attackers can't bypass by changing IP addresses
Lockout expires automatically after 15 minutes
Authentication
Multiple secure authentication methods with strong password requirements and OAuth integration.
Email & Password
Strong password requirements with bcrypt hashing (cost factor 12).
- Minimum 12 characters
- Uppercase, lowercase, and numbers required
- bcrypt with cost factor 12
OAuth (Google & Apple)
Secure OAuth flows with signed state parameters and strict redirect validation.
- HMAC-signed state parameters
- Strict redirect URL validation
- Authorization code flow only (no implicit)
CSRF Protection
All state-changing requests require CSRF validation with HMAC-signed tokens and timing-safe comparison. Even login forms have CSRF protection via a separate pre-login system.
Questions About Security?
Read our security documentation or contact us for more details about our security practices.