title: "" description: "Reference documentation for Navius " category: "Reference" tags: ["documentation", "reference"] last_updated: "April 3, 2025" version: "1.0"

Navius Security Guide

Navius takes security seriously, implementing numerous safeguards at different levels of the stack. This document outlines the security features built into the framework and best practices for secure application development.

Security Features

Navius includes a range of security features out of the box:

🔐 Authentication & Authorization

  • JWT Authentication: Built-in support for JSON Web Tokens
  • OAuth2: Integration with standard OAuth2 providers
  • Microsoft Entra (Azure AD): Enterprise authentication support
  • Role-Based Access Control: Fine-grained permission controls
  • Scope-Based Authorization: API-level permission enforcement

🛡️ Web Security

  • HTTPS by Default: Automatic TLS configuration
  • CORS Protection: Customizable Cross-Origin Resource Sharing
  • Content Security Headers: Protection against XSS and other attacks
  • Rate Limiting: Protection against brute force attacks
  • Request ID Tracking: Correlation IDs for all requests

🔒 Data Security

  • SQL Injection Prevention: Type-safe query building
  • Password Hashing: Secure password storage with Argon2
  • Data Encryption: Support for data encryption at rest
  • Input Validation: Type-safe request validation
  • Output Sanitization: Prevention of data leakage

Pre-commit Hook for Sensitive Data Detection

Navius includes a pre-commit hook that scans staged files for sensitive data like API keys, secrets, and database credentials to prevent accidental commits of confidential information.

Automatic Setup

The hook is automatically set up when you run ./run_dev.sh for the first time. If you want to skip this automatic setup, use the --no-hooks flag:

./run_dev.sh --no-hooks

Manual Setup

To manually set up the pre-commit hook:

./scripts/setup-hooks.sh

What the Hook Detects

The pre-commit hook scans for:

  • API keys and tokens
  • AWS access keys
  • Private keys (SSH, RSA, etc.)
  • Database connection strings
  • Passwords and secrets
  • Environment variables containing sensitive data

How it Works

When you attempt to commit, the hook:

  1. Scans all staged files for sensitive patterns
  2. Blocks commits containing detected sensitive data
  3. Shows detailed information about what was detected and where
  4. Provides guidance on how to fix the issues

Bypassing the Hook

In rare cases, you may need to bypass the hook:

git commit --no-verify

⚠️ Warning: Only bypass the hook when absolutely necessary and ensure no sensitive data is being committed.

Customizing Sensitive Data Patterns

To customize the sensitive data patterns, edit scripts/pre-commit.sh and modify the pattern matching rules.

Security Best Practices

API Security

  1. Always validate input: Use Rust's type system to enforce validation
  2. Apply the principle of least privilege: Limit access to what's necessary
  3. Use middleware for cross-cutting concerns: Authentication, rate limiting, etc.
  4. Log security events: Track authentication attempts, permission changes, etc.

Database Security

  1. Use parameterized queries: Never concatenate SQL strings
  2. Limit database permissions: Use a database user with minimal permissions
  3. Encrypt sensitive data: Hash passwords, encrypt personal information
  4. Regular backups: Ensure data can be recovered in case of a breach

Configuration Security

  1. Never commit secrets: Use environment variables or secret management
  2. Separate configuration from code: Use the layered configuration approach
  3. Different configs per environment: Maintain separate configuration files
  4. Environment validation: Validate production environments for security settings

Security Testing

Navius includes tooling for security testing:

  1. Dependency Scanning: Regular checks for vulnerable dependencies
  2. Static Analysis: Code scanning for security issues
  3. Penetration Testing: Tools for API security testing
  4. OWASP Compliance: Checks against OWASP Top 10 vulnerabilities

Rust Security Advantages

Rust's inherent security features provide additional protection:

  1. Memory Safety: No buffer overflows, use-after-free, or null pointer dereferences
  2. Type Safety: Strong type system prevents type confusion errors
  3. Immutability by Default: Reduces the attack surface for data corruption
  4. No Garbage Collection: Predictable resource usage prevents certain DoS attacks
  5. Safe Concurrency: Thread safety guaranteed by the compiler

Security Updates

Navius maintains a regular security update schedule:

  1. Dependency Updates: Regular updates to dependencies
  2. Security Patches: Immediate patches for critical vulnerabilities
  3. Security Advisories: Notifications for important security information

Security Incident Response

In case of a security incident:

  1. Report: [email protected]
  2. Response Time: We aim to acknowledge reports within 24 hours
  3. Disclosure: We follow responsible disclosure practices

Compliance

Navius can be used as part of a compliant application architecture for:

  • GDPR: Data protection features
  • HIPAA: Healthcare data security
  • PCI DSS: Payment card information security
  • SOC 2: Security, availability, and confidentiality

📝 Note: While Navius provides the building blocks for compliant applications, full compliance depends on how you use the framework and your overall application architecture.