Security Settings
EntiHub applies defense-in-depth security by default. This page summarizes the security defaults and runtime controls described across the marketing documentation.
Security Headers
EntiHub sets the following HTTP security headers on every response:
| Header | Value |
|---|---|
X-Content-Type-Options |
nosniff |
X-Frame-Options |
DENY |
Referrer-Policy |
strict-origin-when-cross-origin |
Permissions-Policy |
camera=(), microphone=(), geolocation=() |
Content-Security-Policy |
default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none' |
HSTS (Strict-Transport-Security) is enabled in all non-Development environments. HTTPS redirection is always enforced.
Rate Limiting
API rate limiting is active by default on all /api/* endpoints, partitioned per authenticated client (user OID, app ID, or IP address for unauthenticated requests).
| Setting | Default |
|---|---|
Mdm:RateLimit:Enabled |
true |
Mdm:RateLimit:PermitLimit |
200 requests |
Mdm:RateLimit:WindowSeconds |
60 seconds |
When a client exceeds the limit, the API returns HTTP 429:
{"code": "MDM_RATE_LIMIT", "message": "Too many requests. Please retry later."}
Webhook URL Security Policy
See the Webhooks page for full documentation on the URL policy modes AllowAllExceptLocalhost and Strict.
The active policy is managed by a Global Admin at System → Security Settings.
Blocked webhook calls are skipped and logged with mode, URL, and reason.
Restricted Classification Tags
Administrators can configure tags that are considered sensitive (e.g. PII, Confidential). These tags can be used in entity and column definitions to signal data classification requirements.
Restricted tags are stored in app_settings and managed at System → Security Settings.
Swagger UI Access
The Swagger / OpenAPI UI at /swagger is restricted to Global Admin users. It is not accessible to regular users even if they are authenticated.
Authentication
EntiHub uses Azure Entra ID (OIDC) for browser sessions and JWT Bearer tokens for API clients. Optional API keys (X-API-Key header) are available for non-interactive integrations.
API key rotation
API keys are long-lived credentials. Rotate them regularly and use secrets management (Azure Key Vault, environment variable injection) rather than storing them in config files.
Data Isolation
EntiHub is a single-tenant application — one deployment serves one organisation. There is no shared infrastructure between deployments.
Each entity stores data in three separate tables within EntityDataSchema:
| Table pattern | Purpose |
|---|---|
<entity>_edit |
Pending (unapproved) changes |
<entity> |
Approved / active records |
<entity>_history |
Historical snapshots (when historyEnabled: true) |
Global Admin (entihub.admin) users bypass row-level security for all data access operations.
Additional hardening
- Database access uses parameterized SQL and parsed filter DSL.
- Package deploy validates ZIP files against path traversal.
- Regex validation runs with timeout to reduce ReDoS risk.