Security & Data Protection

Your Data Stays With You

OpenFrame is built on a self-hosted architecture. Your calendar events, photos, tasks, smart-home controls, and personal data live on your own hardware — a Raspberry Pi, a home server, or any Docker-capable machine on your network.

The optional OpenFrame Cloud service exists solely for convenience features like remote access and relay connectivity. It stores only your account email and instance connection metadata — never your calendars, photos, or personal content.

Encryption

In Transit

All communications use HTTPS/TLS encryption. API requests, OAuth flows, WebSocket relay connections, and browser sessions are encrypted end-to-end. HSTS headers enforce HTTPS on all supported browsers.

At Rest

Sensitive data stored in the database is encrypted using AES-256-GCM with randomly generated initialization vectors. This includes:

• OAuth access and refresh tokens (Google, Microsoft, Spotify)
• API keys for third-party services (weather, AI, maps)
• Calendar event fields (titles, descriptions, locations)

Encryption keys are auto-generated on first run and stored with restricted file permissions (mode 0600) on the host filesystem, separate from the database.

Authentication & Access Control

Password Security

Passwords are hashed with bcrypt (cost factor 12) before storage. Plaintext passwords are never stored or logged.

API Key Security

API keys are hashed with SHA-256 before storage — only the key prefix is stored in plaintext for identification. Key comparison uses constant-time algorithms to prevent timing attacks.

Token Management

JWT access tokens are short-lived (15 minutes). Refresh tokens use family-based rotation with reuse detection — if a refresh token is replayed, the entire token family is invalidated, protecting against token theft.

OAuth Integrations

Third-party OAuth flows use cryptographically random state parameters verified server-side to prevent CSRF attacks. State tokens are single-use and expire after 10 minutes. You can disconnect any integration at any time, which immediately revokes stored tokens.

Infrastructure Security

HTTP Security Headers

The API server enforces security headers via Helmet, including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Strict-Transport-Security.

Rate Limiting

Sensitive endpoints are rate-limited to prevent brute-force attacks: login attempts (10/minute), token refresh (10/minute), and device-code polling (10/minute). A global rate limit protects against abuse across all endpoints.

Input Validation

All API inputs are validated using JSON Schema (Fastify) and Zod type validation. File uploads are restricted by MIME type whitelist and size limits. Path traversal protections are enforced on all file operations.

CORS

Cross-Origin Resource Sharing is restricted to explicitly configured origins. Credentials are only accepted from trusted origins matching your deployment domain.

No Tracking, No Ads, No Data Sales

OpenFrame does not include third-party analytics, advertising trackers, or data-collection SDKs. We do not sell, rent, or share your data with anyone. There are no hidden data flows.

Because OpenFrame is self-hosted, your personal data never passes through our servers. Even when using the cloud relay for remote access, the relay acts as a transparent tunnel — message content is encrypted between your browser and your local instance.

Open Source Transparency

OpenFrame is 100% open source. Every security decision, encryption algorithm, and authentication flow is visible in the source code. You don't have to take our word for it — you can verify it yourself.

We welcome security reviews and responsible disclosure. If you find a vulnerability, please report it via our GitHub Issues.

Cloud-Hosted Instances

For users who opt into OpenFrame Cloud hosting (instead of self-hosting), the same security measures apply. Your hosted instance runs in an isolated container with its own database. Data is encrypted at rest and in transit, and you retain full control over your account and connected integrations.

You can export or delete your data at any time. Account deletion removes all associated data from our servers.

Questions?

If you have security questions or want to report a vulnerability, please reach out via GitHub Issues or review the full source code at github.com/tyler-danielson/openframe.