Security
Faultline separates browser sessions from training API keys. The dashboard never embeds your API key in client-side JavaScript for data reads — the Next.js BFF forwards your HttpOnly session as a short-lived JWT.
- Passwords hashed with bcrypt at signup
- API keys stored server-side; only a prefix shown in the UI
- JWT signed with
FAULTLINE_JWT_SECRET(rotate in production) - Checkpoints in object storage — not in Postgres rows
- CORS restricted via
FAULTLINE_CORS_ORIGINS
Pickle checkpoints can execute arbitrary code on load — only restore checkpoints you created. See SECURITY.md in the repo for reporting vulnerabilities.