Security & Access Control
StacksAtlas is designed for high-security environments where data privacy and infrastructure integrity are paramount. Our security model focuses on Zero-Knowledge Architecture and Local-First persistence.
Data Sovereignty (The "Zero-Knowledge" Policy)
Unlike SaaS monitoring tools, StacksAtlas assumes your network data is sensitive and should never leave your premise.
- No Cloud Telemetry: The application does not collect usage statistics, anonymized crash reports, or device inventory metadata.
- Encrypted-at-Rest: The internal LiteDB database is encrypted using AES-256 (FIPS 140-2 compliant algorithms).
- License Isolation: The license validation service (
api.lemonsqueezy.com) only receives your license key and a unique hardware ID. No technical details about your scanned subnets are included in this handshake.
Access Control (RBAC)
To support multi-user teams, StacksAtlas implements a granular Role-Based Access Control system.
| Role | Permissions | Use Case |
|---|---|---|
Administrator | Full system control: global settings, user management, and license activation. | IT Manager / Owner |
Standard User | Operational access: device names, location management, and alert acknowledgment. | Network Technician |
Viewer | Read-only access: dashboard monitoring and report generation. | Management / Auditor |
Alert Only | Notification access: receives email/webhook triggers (no dashboard access). | Emergency Contact |
Authentication & Cryptography
- PBKDF2 Hashing: User passwords are never stored in plain text. We utilize industry-standard Password-Based Key Derivation Function 2 (PBKDF2) with unique salts.
- JWT Architecture: All communication between the browser and the background service is secured via JSON Web Tokens (JWT), ensuring stateless and tamper-proof sessions.
- HTTPS Enforcement & CA Maturity: By default, StacksAtlas binds to Port 5001.
- Certificate Logic: Starting in v1.2.3, the appliance utilizes .NET 10 X509CertificateLoader APIs to generate self-signed certificates with Basic Constraints: CA=True.
- Trust Workflow: Administrators can download the appliance's root certificate directly from the settings menu to establish permanent browser trust across the network.
- Protocol Hygiene Warnings: The UI provides explicit warnings when using unencrypted Protocol Quick Links (Telnet/FTP), ensuring administrators are aware of the risks of clear-text credentials in the environment.
Infrastructure Resilience
- Sandboxed Environment: The engine adapts to the host's security model. It can run as a standard Windows Service with restricted Service Accounts, a natively constrained macOS Daemon, or a fully isolated, unprivileged Docker container.