Security

Security at StreamHub

StreamHub is built to be run on infrastructure you control, and security is designed in rather than bolted on. This page summarises how the software protects credentials, data in transit and at rest, and access to your instance. It describes the behaviour of the software itself — hardening your own deployment remains your responsibility.

Credentials & secrets

API tokens stored as hashes only

REST API tokens are never persisted in clear text. Only a SHA-256 digest of each token is stored, so the database never holds a value that could be replayed against the API.

scrypt password hashing

Dashboard passwords are hashed with scrypt, a memory-hard function designed to make brute-force and hardware-accelerated attacks costly. Plaintext passwords are never stored.

Timing-safe comparisons

Tokens, signatures and other secrets are verified with constant-time comparisons, so an attacker cannot use response timing to recover a secret byte by byte.

Integrity & transport

HMAC-signed webhooks

Every webhook StreamHub sends is signed with an HMAC-SHA256 over the raw request body. Your endpoint can verify the signature with a timing-safe check and reject anything that was not sent by your instance.

TLS everywhere

The installer provisions TLS certificates automatically (nginx + certbot, or Caddy) and terminates every public surface — dashboard, REST API, HLS and signalling — over HTTPS/WSS by default.

Isolation & access control

Per-app data isolation

Each tenant app owns its own SQLite database for app-scoped state and its own S3 credentials for recordings and VOD. One app cannot read another app’s data or write to another app’s bucket.

IP allow/blocklists + auto-ban

A network-security layer applies per-app IP allow- and blocklists as global middleware before authentication, and automatically bans sources that trip abuse thresholds.

RBAC & quotas

Role-based access control (Casbin) and per-tenant quotas gate what each token and user may do, with an enforcement mode you can run in log-only or fully enforcing.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in StreamHub, please report it privately so we can investigate and issue a fix before details are made public. Include steps to reproduce and, where possible, a proof of concept. We will acknowledge your report and keep you updated on our progress.

Email: security@streamhub.studio

For configuration details — enforcement modes, webhook verification, TLS options and the network-security module — see the documentation.