# Security hardening

Sender constraints (DPoP and mTLS)
- DPoP is required for browser tokens; proofs are nonce protected.
- Authority stores cnf.jkt and validates it on introspection.
- mTLS-bound tokens are required for high-assurance tenants and automation.
- Emergency bypass is logged and should be time-boxed.

Rate limiting and lockout
- Fixed-window limits on /token and /authorize protect against brute force.
- Retry-After headers and structured logs are required for audit.
- Lockout policies complement rate limiting and should remain enabled.

Password hashing
- Argon2id is the default for Authority identity providers.
- PBKDF2-SHA256 remains supported for legacy hashes and FIPS profile.
- Successful legacy verification rehashes to Argon2id.

Secrets handling
- Services store secretRef only; secret values are never persisted.
- Secrets must not appear in logs, traces, or exports.
- Rotation is handled through Authority and refreshed by workers at step start.

Notifications hardening
- Tenant isolation enforced on rules and delivery ledger.
- Webhook deliveries are signed with HMAC-SHA256 and include nonce or timestamp.
- Outbound allowlists default to block public internet in air-gapped kits.

Export hardening
- Exports include content hashes and optional DSSE manifests.
- Export endpoints enforce tenant scoping and export-specific scopes.
- Redaction rules default to exclude secrets and sensitive fields.

Related references
- docs/security/dpop-mtls-rollout.md
- docs/security/password-hashing.md
- docs/security/secrets-handling.md
- docs/security/rate-limits.md
- docs/security/notifications-hardening.md
- docs/security/export-hardening.md
- docs/security/audit-events.md
- docs/security/revocation-bundle.md