Security

Faultline separates browser sessions from training API keys. The dashboard never embeds your API key in client-side JavaScript for data reads — the Next.js BFF forwards your HttpOnly session as a short-lived JWT.

  • Passwords hashed with bcrypt at signup
  • API keys stored server-side; only a prefix shown in the UI
  • JWT signed with FAULTLINE_JWT_SECRET (rotate in production)
  • Checkpoints in object storage — not in Postgres rows
  • CORS restricted via FAULTLINE_CORS_ORIGINS

Pickle checkpoints can execute arbitrary code on load — only restore checkpoints you created. See SECURITY.md in the repo for reporting vulnerabilities.