Security Guide
Translato is built with a "security-first" mindset, employing multi-layered protection for your translation data and user accounts.
1. Authentication Methods
| Method | Used By | Mechanism |
|---|---|---|
| Cookie Auth | Web dashboard | httpOnly access_token (15min) + refresh_token (7d) |
| API Key | CLI, SDKs, CI/CD | X-API-Key header, SHA-256 hashed in DB |
| CSRF Token | Web mutations | X-CSRF-Token header, HMAC-signed per session |
| Webhook HMAC | VCS providers | X-Hub-Signature-256 (GitHub), X-Gitlab-Token, URL secret |
2. Authorization (RBAC)
Translato uses a 5-tier Role-Based Access Control system:
- Platform Admin (UserRole.ADMIN): Full access to everything.
- Organization Owner/Admin: Full access to all projects within the organization.
- Team Access (TeamProjectAccess): Access to assigned projects with optional language restrictions.
- Direct Project Member: Role-based (OWNER/TRANSLATOR) with optional language restrictions.
- Project Owner: Full control of their own projects.
3. Data Protection & Posture
| Area | Implementation |
|---|---|
| Password Hashing | bcrypt (12 rounds) |
| JWT Algorithm | HS512 with separate access/refresh secrets |
| Token Rotation | Family tracking and theft detection |
| CSRF Protection | Validated on all state-changing mutations |
| Encryption at Rest | VCS tokens encrypted via AES-256-GCM |
| Sanitization | Full XSS prevention for translation values |
| API Key Storage | SHA-256 hashed (never plaintext) |
| Rate Limiting | Tiered (Auth/API/Read/Write) via Redis |
4. Production Security Hardening
When deploying to production, the following must be set:
NODE_ENV=productionCOOKIE_SECURE=true(requires HTTPS)- Unique, high-entropy secrets for all JWT and encryption keys.
ALLOWED_ORIGINSstrictly limited to your production domain.
The Translato API server will refuse to start in production mode if it detects weak or default secrets.