Security
Security is not a feature.
It's the foundation.
HostAtlas is an infrastructure monitoring platform. That means we have access to your servers, your metrics, and your logs. We take that responsibility seriously. Every layer of the platform is hardened — from the agent binary running on your servers to the API endpoints you interact with. Security is not a checkbox. It's how we build.
TLS 1.3
All connections encrypted
HMAC
SHA-256 request signing
2FA
TOTP authentication
RBAC
Role-based access control
Agent Security
Outbound-only. Signed requests. Whitelisted commands.
The HostAtlas agent runs on your servers. We designed it with a paranoid security model: it only makes outbound connections, every request is HMAC-SHA256 signed, it executes only a hardcoded whitelist of read-only commands, and the TLS 1.3 connection ensures no one can intercept the data in transit.
Outbound-Only Architecture
The agent initiates all connections to the HostAtlas platform. No inbound ports are opened on your server. No SSH access is required. Your firewall rules remain unchanged.
HMAC-SHA256 Request Signing
Every request from the agent includes an HMAC-SHA256 signature computed from the request body and a shared secret. The platform rejects any request with an invalid or missing signature.
Command Whitelisting
The agent only executes a fixed set of read-only system commands (df, free, uptime, docker ps). The whitelist is compiled into the binary and cannot be modified at runtime.
TLS 1.3 Transport
All agent-to-platform communication uses TLS 1.3. No fallback to older TLS versions. Certificate validation is strict and enforced by the Go standard library.
Agent Security Model
Your Server
hostatlas-agent (Go binary)
HostAtlas Platform
Data Encryption
Encrypted at rest. Encrypted in transit. No exceptions.
Every piece of data that flows through HostAtlas is encrypted. Agent communication uses TLS 1.3. API keys are stored as SHA-256 hashes. Passwords use bcrypt. Offsite backups use AES-256-GCM with client-side encryption. Database storage uses encryption at rest.
TLS 1.3 Everywhere
All connections — agent to platform, browser to dashboard, API calls, webhook deliveries — use TLS 1.3. No plaintext. No fallback to older versions.
SHA-256 Token Hashing
Agent tokens and API keys are stored as SHA-256 hashes. The raw token is shown once at creation and never persisted. Database compromise does not expose tokens.
AES-256-GCM Backups
Offsite backups are encrypted on the server before transmission using AES-256-GCM. The encryption key never leaves your server. We cannot read your backup data.
bcrypt Passwords
User passwords are hashed with bcrypt at a cost factor of 12. bcrypt is intentionally slow, making brute-force attacks computationally infeasible even with leaked hashes.
Encryption at Rest
All databases and object storage use AES-256 encryption at rest. Metrics, logs, configurations, and user data are never stored in plaintext on disk.
HMAC Webhook Signing
Outgoing webhooks include an HMAC-SHA256 signature using a per-webhook secret. Recipients verify the signature to confirm authenticity and integrity.
Authentication
2FA, scoped API keys, and timing-safe comparison.
HostAtlas supports two-factor authentication via TOTP (Google Authenticator, Authy, etc.). API keys are scoped to specific permissions and stored as SHA-256 hashes. Token comparison uses constant-time algorithms to prevent timing attacks.
Two-Factor Authentication
TOTP-based 2FA with recovery codes. Once enabled, every login requires a time-based code from your authenticator app. Recovery codes are generated at setup for account recovery.
Scoped API Keys
Create API keys with specific permission scopes. A deploy key doesn't need access to billing. A read-only dashboard key shouldn't be able to delete servers. Least privilege by default.
Timing-Safe Comparison
All token validation uses constant-time comparison functions. This prevents timing side-channel attacks that could leak information about valid token prefixes.
API Key Scoping
deploy-key
Created 14d agodashboard-readonly
Created 30d agoci-pipeline
Created 7d agoTokens stored as SHA-256 hashes. Raw key shown once.
Multi-Tenancy
Full data isolation via global scopes.
Every team on HostAtlas operates in complete isolation. Servers, metrics, logs, incidents, dashboards, alert rules, and configurations are all scoped to a single team. Global scopes enforce this at the database query level — not just the application layer. There is no way for one team's data to leak into another's.
Team-Scoped Queries
Every database query includes a team scope filter enforced by global query scopes. Bypass is not possible through the application layer, even for admin users.
Agent-to-Team Binding
Each agent is permanently bound to a single team via its authentication token. An agent cannot submit data to or read data from another team.
UUID Resource IDs
All resources use UUIDs instead of sequential integers. This prevents enumeration attacks where an attacker could guess resource IDs to probe for other teams' data.
Under Attack Mode
Built-in DDoS defense.
When your server is under attack, toggle Under Attack Mode from the HostAtlas dashboard. The agent activates iptables-based rate limiting, connection throttling, and IP blocking. Legitimate traffic passes through. Attack traffic is dropped at the kernel level before it reaches your application.
Rate limiting per IP at the iptables level
Connection throttling for SYN flood defense
Automatic IP blocking for known bad actors
One-click activation and deactivation
Ransomware Detection
Shannon entropy analysis.
HostAtlas monitors files targeted for offsite backup using Shannon entropy analysis. Encrypted or ransomware-affected files have significantly higher entropy than normal data. If a sudden entropy spike is detected, HostAtlas freezes the backup schedule to protect your clean backup copies and triggers an immediate alert.
Shannon entropy measurement on backup targets
Automatic backup freeze on anomaly detection
Protects clean backups from being overwritten
Immediate incident creation and alerting
Deep Dives
More detail on specific topics.
Compliance
GDPR, SOC 2 alignment, role-based access, audit logging, data residency, and incident response documentation.
Read more →Encryption & Data Privacy
TLS 1.3, HMAC-SHA256, AES-256-GCM backups, SHA-256 token hashing, client-side encryption, and sensitive data filtering.
Read more →Get Started
Security your team can trust.
HostAtlas is built for organizations that take infrastructure security seriously. HMAC-signed agents, TLS 1.3, 2FA, scoped API keys, full tenant isolation, and encrypted backups — all included on every plan. Free for up to 3 servers.