Security
Optare implements enterprise-grade security practices to protect your authentication infrastructure.
Authentication Security
OAuth 2.0 with PKCE
- Authorization Code Flow with Proof Key for Code Exchange
- Prevents authorization code interception attacks
- Required for public clients (SPAs, mobile apps)
Token Security
- JWT Tokens signed with RS256 (asymmetric)
- Access tokens expire in 1 hour
- Refresh tokens with rotation enabled
- Token revocation supported
Multi-Factor Authentication
- TOTP-based 2FA support
- WebAuthn/Passkey support
- Recovery codes for account recovery
Session Management
- Secure, HTTP-only session cookies
- Session invalidation on password change
- Active session listing and revocation
- IP and user-agent tracking for audit
Data Protection
Encryption
- In Transit: TLS 1.3 for all connections
- At Rest: Database encryption enabled
- Secrets: Environment-based secret management
Secure Headers
- Strict Content-Security-Policy
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- HSTS enabled
API Security
- Rate limiting on authentication endpoints
- CORS configuration per OAuth client
- Input validation and sanitization
- Request logging for audit trails
Security Best Practices
For Developers
- Use HTTPS for all API calls
- Store tokens securely (HttpOnly cookies preferred)
- Implement token refresh logic
- Validate redirect URIs strictly
For Administrators
- Enable 2FA for all admin accounts
- Regularly rotate API keys
- Review audit logs periodically
- Keep OAuth client secrets confidential
Incident Response
Report security issues to: security@optare.one
We aim to respond within 24 hours for critical issues.
Roadmap
We are working toward formal security certifications. Current focus:
- SOC 2 Type II preparation
- GDPR compliance documentation
- Regular third-party security audits