Skip to content
Docs

Security Overview

Portweaver is designed to enforce secure access by default, with all authentication, session handling, and permissions validated server-side.

Authentication

Section titled “Authentication”

Portweaver uses secure, session-based authentication:

  • Users log in with a username and password
  • Sessions are time-limited (default: 12 hours)
  • Logging in from a new location invalidates previous sessions

Session States

Section titled “Session States”

There are two session types:

  • full

    • Standard authenticated session
    • Grants access based on user role

  • verify

    • Temporary restricted session
    • Used for:
      • Password changes
      • TOTP setup or verification

Users in a verify session cannot access protected areas until requirements are completed.

Access Control

Section titled “Access Control”

Access is controlled using roles:

  • admin

    • Full system access
    • Can manage users, devices, and settings

  • view

    • Read-only access
    • Cannot make changes

Users can also be disabled without being deleted.

Password Policy

Section titled “Password Policy”

Password requirements are enforced globally:

  • Minimum length
  • Character complexity rules

Users may be required to change their password:

  • On first login
  • When flagged by an admin

Multi-Factor Authentication (TOTP)

Section titled “Multi-Factor Authentication (TOTP)”

Portweaver supports Time-based One-Time Password (TOTP) authentication.

When enabled:

  • Users must enroll using an authenticator app
  • Access is restricted until setup is complete
  • Login requires a valid verification code

Session Enforcement

Section titled “Session Enforcement”
  • Only one active session per user is allowed
  • Sessions are automatically updated if security requirements change
  • Restricted sessions (verify) are single-device only

Audit Logging

Section titled “Audit Logging”

All actions are recorded in the audit log:

  • Login attempts
  • User changes
  • Configuration updates
  • Security events

Logs are available in the auditing panel and support filtering by user, event, and outcome.

Data Security

Section titled “Data Security”
  • All application data is encrypted at rest
  • Encryption keys are securely stored on the system
  • Configuration files cannot be moved without breaking access

Summary

Section titled “Summary”
  • Authentication and access are enforced server-side
  • Roles define what users can do
  • Security policies are applied globally
  • All actions are logged and traceable
  • Sensitive data is encrypted at rest

Portweaver is designed to remain secure by default, without requiring manual hardening.