Security at StreamHub
StreamHub is built to be run on infrastructure you control, and security is designed in rather than bolted on. This page summarises how the software protects credentials, data in transit and at rest, and access to your instance. It describes the behaviour of the software itself — hardening your own deployment remains your responsibility.
Credentials & secrets
API tokens stored as hashes only
REST API tokens are never persisted in clear text. Only a SHA-256 digest of each token is stored, so the database never holds a value that could be replayed against the API.
scrypt password hashing
Dashboard passwords are hashed with scrypt, a memory-hard function designed to make brute-force and hardware-accelerated attacks costly. Plaintext passwords are never stored.
Timing-safe comparisons
Tokens, signatures and other secrets are verified with constant-time comparisons, so an attacker cannot use response timing to recover a secret byte by byte.
Integrity & transport
HMAC-signed webhooks
Every webhook StreamHub sends is signed with an HMAC-SHA256 over the raw request body. Your endpoint can verify the signature with a timing-safe check and reject anything that was not sent by your instance.
TLS everywhere
The installer provisions TLS certificates automatically (nginx + certbot, or Caddy) and terminates every public surface — dashboard, REST API, HLS and signalling — over HTTPS/WSS by default.
Isolation & access control
Per-app data isolation
Each tenant app owns its own SQLite database for app-scoped state and its own S3 credentials for recordings and VOD. One app cannot read another app’s data or write to another app’s bucket.
IP allow/blocklists + auto-ban
A network-security layer applies per-app IP allow- and blocklists as global middleware before authentication, and automatically bans sources that trip abuse thresholds.
RBAC & quotas
Role-based access control (Casbin) and per-tenant quotas gate what each token and user may do, with an enforcement mode you can run in log-only or fully enforcing.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in StreamHub, please report it privately so we can investigate and issue a fix before details are made public. Include steps to reproduce and, where possible, a proof of concept. We will acknowledge your report and keep you updated on our progress.
Email: security@streamhub.studio
For configuration details — enforcement modes, webhook verification, TLS options and the network-security module — see the documentation.