Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Security

Overview

Orientation for the Security section

This section is the security model, the threats Olympus defends against, the mechanisms doing the defending, and the headers, encryption, and policies in effect.

Defining the perimeter

Threat model, what we defend against and what we don't.
CIAM/IAM isolation, the rationale and the enforcement boundary.

At rest

Encryption at rest, AES-256-GCM with HKDF-SHA256.
Encryption key blocklist, known-weak values the SDK refuses.

In flight

Session cookies, HMAC-signed, separate SESSION_SIGNING_KEY from ENCRYPTION_KEY.
Security headers, HSTS, X-Frame-Options, Referrer-Policy.
CSP, Athena, admin dashboard CSP.
CSP, Hera, login UI CSP.

Abuse mitigation

Brute-force protection, login-attempt tracking and account lockout.
Account lockout, Hera's lockout policy.
Breached password, HaveIBeenPwned k-anonymity check.
Captcha Turnstile, Cloudflare Turnstile policy.
Rate limiting, Caddy rate_limit module.

OAuth2 hardening

PKCE enforcement, RFC 9700 alignment; mandatory for all public clients.

Email and IdP trust

Email verification, mandatory in production.
OIDC email_verified trust, why we never trust the upstream email_verified claim.

DBA access

pgAdmin SSO, OIDC through Olympus IAM Hydra.
pgAdmin DBA accounts, least-privilege per-DBA database roles.

Supply chain

Caddy supply chain, reproducible builds with the rate_limit module.
Secrets management, secret material lifecycle.

MFA Policy

Multi-factor authentication enrollment and enforcement policy across CIAM and IAM

Breached Password Check

HaveIBeenPwned k-anonymity password breach check on registration and password change

On this page

Defining the perimeter At rest In flight Abuse mitigation OAuth2 hardening Email and IdP trust DBA access Supply chain