Reference

Security

Security practices, data protection, and compliance measures implemented in Checkpoint.

Authentication & Session Management

Browser-Based Login Flow

  • No password entry in terminal - CLI uses browser-based OAuth flow
  • 10-minute timeout for login completion
  • Secure token exchange via local callback server
  • Tokens stored locally in CLI config file
  • Automatic token refresh using refresh tokens

Session Security

Token refresh happens automatically on each CLI command to maintain secure sessions.

Data Protection

Encryption in Transit

  • HTTPS enforcement - All tunnel URLs use HTTPS
  • Database connections use TLS encryption
  • API endpoints require HTTPS in production

Password Storage

  • Secure authentication handles password hashing and storage
  • No plaintext passwords stored in application
  • Password policies enforced by authentication configuration

Sensitive Data Handling

  • API tokens stored encrypted in database
  • Integration tokens encrypted before storage
  • Share passwords stored as secure hashes
  • No secrets in client-side code

Access Control

Workspace-Level Security

  • Role-based access control (RBAC) for workspace operations
  • Admin-only actions for billing and integrations
  • Member invitations require admin approval
  • Audit logging for admin actions

Tunnel-Level Security

  • Share modes control who can view tunnels
  • Password protection option for sensitive tunnels
  • Guest comment controls can be disabled
  • Member-specific permissions for tunnel access

API Security

Every API endpoint validates workspace membership before allowing access. Unauthorized requests are rejected with appropriate error responses.

Input Validation & Sanitization

Email Validation

Standardized email validation is used across the application to ensure proper email format.

Comment Content Validation

  • Content length limits: 1-5,000 characters
  • XSS prevention: Content sanitized before storage
  • HTML escaping: Automatic in comment rendering

File Upload Security

  • Type validation for avatar uploads
  • Size limits enforced
  • Malicious file detection

Rate Limiting & Abuse Prevention

API Rate Limiting

  • Request throttling on sensitive endpoints
  • Brute force protection on auth attempts
  • Tunnel creation limits based on subscription tier

Tunnel Security

  • Provider timeouts for connection management
  • Connection monitoring via heartbeat system
  • Automatic cleanup of abandoned tunnels

Compliance & Privacy

Data Retention

  • Configurable retention policies for comments
  • Account deletion removes all user data
  • Workspace deletion is permanent and comprehensive

Privacy Controls

  • Guest comments optional per tunnel
  • Share modes for access control
  • Data export capabilities for user data portability

Security Monitoring & Logging

Automated Monitoring

  • Failed login attempts tracked and rate-limited
  • Tunnel heartbeat failures trigger status updates
  • API abuse patterns detected and blocked
  • Unusual access patterns flagged for review

Audit Logging

  • Admin actions logged with user and timestamp
  • Tunnel creation/deletion recorded
  • Billing changes tracked with full history
  • Integration connections logged with metadata

Incident Response

  • Immediate account suspension for security violations
  • Tunnel deactivation for abuse reports
  • Workspace lockdown for compromised accounts
  • Data preservation during security investigations

Compliance Considerations

Data Protection

  • GDPR compliance - Right to deletion and data export
  • Data minimization - Only collect necessary information
  • Purpose limitation - Use data only for stated purposes
  • Storage limitation - Retain data only as needed

Security Standards

  • Security controls and monitoring
  • Web application security best practices
  • Encryption standards - Industry-standard cryptographic practices
  • Access controls - Principle of least privilege enforcement

Security Best Practices for Users

For Workspace Admins

  • Regular membership audits - Review who has admin access
  • Strong passwords - Enforce good password policies
  • Integration monitoring - Review connected services regularly
  • Billing oversight - Monitor subscription status and invoices

For All Users

  • Secure tunnel sharing - Use appropriate share modes
  • Password protection - Enable for sensitive tunnels
  • Guest comment controls - Disable for private projects
  • Regular cleanup - Delete unused tunnels and comments

For CLI Users

  • Token security - Logout from shared machines
  • Provider updates - Keep tunnel providers updated
  • Local server security - Only tunnel development servers
  • Network awareness - Understand what's being exposed
Note: Security practices are continuously reviewed and updated based on emerging threats and compliance requirements.