← Back to all posts

Security

Pre-flight checklist: from PoC to MVP hardening

16 min

The full Auth Fly hardening list, in the open — what is already strong in the PoC, and the four staged wave of fixes that take us from PoC to a production-shaped MVP.

Security is the part of Auth Fly we do not want to surprise anyone with. Here is the entire checklist, grouped by stage, with the strong points kept honest alongside the work still to do.

What is already strong

  • SAML ACS taken from SP config, never from the AuthnRequest — closes ACS substitution.
  • OIDC redirect_uri validated by exact-match against per-client allowlist.
  • Authorization codes are one-shot, TTL-bounded, compared with hmac.Equal.
  • Session cookies signed with HMAC-SHA256, HttpOnly, Secure.
  • Cache-Control: no-store on the token endpoint.
  • Hosted UI ships static assets locally; no CDN dependency.
  • html/template and templ auto-escape user-rendered fields.
  • Logout return URLs validated against an origin allowlist.

Stage 1 — Critical (week 1)

  • Verify iss and aud on Hanko JWTs after signature check.
  • Pin the JWT alg to RS256 in the verifier; never trust the header value.
  • Stop accepting bearer tokens from ?token= query parameters.
  • Refuse to start when session_key is the placeholder or shorter than 32 bytes.
  • Configure http.Server with explicit ReadTimeout, WriteTimeout and IdleTimeout.
  • Create the IdP private key file with mode 0600.
  • Run the container as a non-root user.

Stage 2 — Protocol hardening (weeks 2–3)

  • PKCE: store code_challenge + method, verify code_verifier, advertise in Discovery.
  • Add at_hash to id_token to bind it to the access token.
  • Verify iss on access tokens before honouring them.
  • Validate IssueInstant and (when present) Destination on SAML AuthnRequests.
  • Optionally verify signed AuthnRequests for SPs that opt in.
  • Run the OIDC code-store cleanup goroutine; bound memory growth.
  • Validate requested OIDC scopes; reject anything outside the supported set.

Stage 3 — Web security (weeks 3–4)

  • Security-headers middleware: CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, HSTS.
  • CSRF tokens on every admin POST.
  • Rate limiting on /token, /authorize, /sso, /console/users.
  • http.MaxBytesReader on POST endpoints.
  • Graceful shutdown via signal.NotifyContext + server.Shutdown.

Stage 4 — Enterprise (weeks 4–6)

  • Key rotation with multi-key JWKS and a previous-key validator.
  • Move new key generation to RSA-4096.
  • SAML Single Logout (SLO) for connected SPs.
  • Structured audit logs: who, when, what, from where, with what result.
  • Optional server-side session store (Redis or SQLite) for forced logout.
  • OIDC: refresh tokens, prompt, max_age.
  • Admin: CSRF, configurable email verification, scoped API keys.
  • Health and readiness endpoints for orchestration.

How to follow along

Every item is tracked publicly on GitHub at github.com/authfly. Vulnerability reports go through private security advisories on the same org. No private roadmap, no hidden severity ratings.

Auth Fly logo

Auth Fly

Open auth construction kit

About Auth Fly
SAML

SAML 2.0 in ~600 lines of Go: what we kept, what we cut

 OIDC

OIDC done minimal: code flow, JWKS, and the road to PKCE