Security

All security is free, always.

Every hardening feature in nSelf ships in the free tier. No license check, no upgrade prompt, no paywall. Security is a default, not a product line.

Hard rule across the project. Core security features are on by default and run automatically on install, update, deploy, and a daily scan. Pro and Cloud tiers may add nice-to-haves like centralized SIEM forwarding, but a baseline hardening control will never move behind a license.

What you get for free

Ten hardening features included in every nSelf install. All open source, all on by default.

Row Level Security (RLS)
Per-row Postgres policies enforced through Hasura. Tenant and user isolation by default.
Rate limits
Per-IP and per-user request budgets at the Nginx and Hasura layers. Tunable, on by default.
MFA throttle
Backoff and lockout on failed second-factor attempts. Stops credential-stuffing of TOTP and WebAuthn.
SSRF guard
Outbound HTTP from plugins is filtered against private and link-local ranges. No accidental cloud-metadata reads.
JWT key rotation
Auth signing keys roll on a schedule with overlap windows. Old tokens expire cleanly.
WAF basics
Nginx rules cover common injection, traversal, and suspicious-UA classes. Free, on by default.
Audit logs
Auth events, license changes, and admin actions land in a structured log stream you own.
Encryption-at-rest config
Postgres data directory and MinIO buckets are configured for encrypted storage at install time.
SIEGE regression suite
Internal adversarial test pack runs in CI on every release. Catches regressions before they ship.
Automatic TLS
Let’s Encrypt certs issued and renewed by the CLI. HTTPS everywhere, no manual cert work.

Why we do this

Self-hosted teams are the ones most exposed when basic hardening is sold as a tier. Putting RLS, rate limits, JWT rotation, and TLS behind a paywall would push small teams into insecure defaults. So we did the opposite. The hardening suite is part of the free CLI, runs on every deploy, and blocks releases when critical findings appear. Revenue comes from optional plugins and managed hosting, never from withholding the basics.

Security disclosure

Found something? Report it privately. We acknowledge inside 72 hours and aim to ship a fix or roadmap entry within 90 days for Critical and High issues.

Email: security@nself.org
GitHub Security Advisories: nself-org/cli/security/advisories
Full policy: Responsible disclosure

Bounty program

Valid reports earn cash rewards plus credit on the hall of fame. Scope, payout ranges, and rules of engagement are published on the bounty page.

See bounty details

Compliance

Where we stand today. Honest about what is ready, what is on the way, and what is not yet supported.

GDPRReady
EU sub-processor list, DPA on request, data export and erasure flows.
SOC 2In progress
On the roadmap. Controls are mapped, formal audit pending.
HIPAA / BAAPlanned
Not currently offered. Reach out if this is a blocker.
ISO 27001Planned
Tracked, not yet pursued.

All security is free, always.

Every hardening feature in nSelf ships in the free tier. No license check, no upgrade prompt, no paywall. Security is a default, not a product line.

All security is free, always.

What you get for free

Ten hardening features included in every nSelf install. All open source, all on by default.

Row Level Security (RLS)
Per-row Postgres policies enforced through Hasura. Tenant and user isolation by default.
Rate limits
Per-IP and per-user request budgets at the Nginx and Hasura layers. Tunable, on by default.
MFA throttle
Backoff and lockout on failed second-factor attempts. Stops credential-stuffing of TOTP and WebAuthn.
SSRF guard
Outbound HTTP from plugins is filtered against private and link-local ranges. No accidental cloud-metadata reads.
JWT key rotation
Auth signing keys roll on a schedule with overlap windows. Old tokens expire cleanly.
WAF basics
Nginx rules cover common injection, traversal, and suspicious-UA classes. Free, on by default.
Audit logs
Auth events, license changes, and admin actions land in a structured log stream you own.
Encryption-at-rest config
Postgres data directory and MinIO buckets are configured for encrypted storage at install time.
SIEGE regression suite
Internal adversarial test pack runs in CI on every release. Catches regressions before they ship.
Automatic TLS
Let’s Encrypt certs issued and renewed by the CLI. HTTPS everywhere, no manual cert work.

Why we do this

Security disclosure

Found something? Report it privately. We acknowledge inside 72 hours and aim to ship a fix or roadmap entry within 90 days for Critical and High issues.

Email: security@nself.org
GitHub Security Advisories: nself-org/cli/security/advisories
Full policy: Responsible disclosure

Bounty program

Valid reports earn cash rewards plus credit on the hall of fame. Scope, payout ranges, and rules of engagement are published on the bounty page.

See bounty details

Compliance

Where we stand today. Honest about what is ready, what is on the way, and what is not yet supported.

GDPRReady
EU sub-processor list, DPA on request, data export and erasure flows.
SOC 2In progress
On the roadmap. Controls are mapped, formal audit pending.
HIPAA / BAAPlanned
Not currently offered. Reach out if this is a blocker.
ISO 27001Planned
Tracked, not yet pursued.