Security
Authentication, authorization, and defense-in-depth security across the Bootspring platform
Bootspring implements defense-in-depth security across authentication, transport, input validation, and runtime protection. This page covers every security layer and how to configure it.
Authentication
Bootspring supports three authentication methods, each suited to different use cases.
JWT Tokens
The primary authentication method for CLI and dashboard sessions.
JWT tokens include:
- User ID and email (claims)
- Subscription tier (
free,pro,team,enterprise) - Issued-at and expiration timestamps
- HMAC-SHA256 signature
API Keys
Long-lived keys for server-to-server integrations and CI/CD pipelines.
API key properties:
- Prefixed with
bsk_for identification - Scoped to specific permissions (read, write, admin)
- Revocable at any time from CLI or dashboard
- Usage logged with IP and timestamp
Device Authorization
For headless environments (CI runners, remote servers) where browser login is not possible.
This starts the OAuth device flow:
- CLI displays a user code and verification URL
- User opens the URL in any browser and enters the code
- CLI polls until authorization is confirmed
- Token is stored locally
CSRF Protection
All state-changing API requests require a CSRF token.
- The server sets a
__csrfcookie on first request (HTTP-only, SameSite=Strict) - Clients include the token in the
X-CSRF-Tokenheader on POST/PUT/DELETE requests - Mismatched or missing tokens return
403 Forbidden - Tokens rotate on every authentication event
The CLI and MCP server handle CSRF automatically. Custom API integrations must read the cookie and include the header.
Rate Limiting
The API enforces rate limits across five tiers to prevent abuse and ensure fair usage.
| Tier | Requests/Minute | Burst | Daily Limit | Applies To |
|---|---|---|---|---|
| Anonymous | 10 | 15 | 500 | Unauthenticated requests |
| Free | 30 | 50 | 5,000 | Free tier users |
| Pro | 120 | 200 | 50,000 | Pro tier users |
| Team | 300 | 500 | 200,000 | Team tier users |
| Enterprise | 1,000 | 2,000 | Unlimited | Enterprise tier users |
Rate limit headers are included in every response:
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 118
X-RateLimit-Reset: 1713100800
Retry-After: 42
When a limit is exceeded, the API returns 429 Too Many Requests with the Retry-After header indicating seconds until the limit resets.
Content Security Policy
The dashboard sets strict CSP headers to prevent XSS and data injection:
Content-Security-Policy:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://bootspring.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self'
Key restrictions:
- No inline scripts (all JavaScript bundled)
- No external script sources
- Images allowed from self, data URIs, and HTTPS sources
- No iframe embedding (
frame-ancestors 'none') - Form submissions restricted to same origin
Input Validation with Zod
Every API endpoint and MCP tool validates input using Zod schemas before processing.
Validation properties:
- All inputs validated at the API boundary before any logic runs
- Type coercion disabled — inputs must match expected types exactly
- String lengths capped to prevent memory exhaustion
- Nested objects validated recursively
- Invalid input returns
400 Bad Requestwith a structured error listing each failing field
Password Policy
Account passwords must meet all of the following requirements:
| Requirement | Minimum |
|---|---|
| Length | 12 characters |
| Uppercase letters | 1 |
| Lowercase letters | 1 |
| Numbers | 1 |
| Special characters | 1 |
| Not in breach database | Checked against HaveIBeenPwned (k-anonymity) |
Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext. Failed login attempts trigger progressive delays: 1s after 3 failures, 5s after 5, and account lockout after 10 (unlocked via email).
TypeScript Strict Mode
The entire Bootspring codebase compiles under TypeScript strict mode:
This eliminates entire classes of runtime errors:
- No implicit
any— every value has a known type - No unchecked index access — array/object lookups return
T | undefined - Strict null checks — null and undefined must be handled explicitly
- Exact optional properties — prevents accidental
undefinedassignment
Path Traversal Protection
All file operations validate paths to prevent directory traversal attacks:
- Paths are resolved to absolute form and checked against an allowlist of permitted directories
..sequences are rejected before any file I/O- Symlinks are resolved and re-validated against the allowlist
- The MCP server restricts file access to the project root and
.bootspring/directories only
security.txt
Bootspring publishes a /.well-known/security.txt on the hosted API conforming to RFC 9116:
Contact: security@bootspring.com
Expires: 2027-04-14T00:00:00.000Z
Preferred-Languages: en
Canonical: https://bootspring.com/.well-known/security.txt
Policy: https://bootspring.com/security-policy
To report a vulnerability, email security@bootspring.com. Response SLA: acknowledgment within 48 hours, triage within 5 business days.
Security Checklist
A quick reference for hardening your Bootspring installation:
- Run
bootspring auth loginand verify token storage permissions (600) - Use API keys (not JWTs) for CI/CD pipelines
- Enable
BOOTSPRING_TELEMETRY=falseif operating in a regulated environment - Review
.bootspring/directory permissions (should not be world-readable) - Keep Bootspring updated —
bootspring updatepulls security patches - Do not commit
.bootspring/auth.jsonor.envto version control