Infrastructure Security
SonicSaaS runs as a container stack on your own infrastructure. The deployment is hardened with container security, network isolation, and HTTP security headers.
Container Security
Non-Root Execution
The application container runs as a dedicated non-root user. This limits the impact of any container escape — even if an attacker gains code execution inside the container, they have minimal host privileges.
Hardened Images
Production images are minimized to the compiled application only — build tools, source code, and development dependencies are excluded to reduce attack surface. Secrets are never baked into image layers; they are injected at runtime via environment variables.
Resource Limits
Production containers have memory limits and are configured to restart automatically on failure, preventing resource exhaustion and improving availability.
Network Isolation
In the production deployment:
- The database is not exposed to the host network — only the application container can reach it over an internal network
- A reverse proxy handles external access with automatic HTTPS (TLS termination and certificate management) when a domain is configured
- Only the ports required for user access are exposed to the host
Security Headers
All HTTP responses include security headers to protect against common web attacks:
| Header | Protection |
|---|---|
| X-Frame-Options | Prevents clickjacking by blocking iframe embedding |
| X-Content-Type-Options | Prevents MIME-type sniffing attacks |
| Strict-Transport-Security | Forces HTTPS for all connections (2-year duration, preload-eligible) |
| Referrer-Policy | Limits referrer information sent to external sites |
| Permissions-Policy | Disables unnecessary browser APIs (camera, microphone, geolocation) |
| Content-Security-Policy | Restricts which sources can load scripts, styles, images, and other resources |
TLS Configuration
Client Connections
All browser-to-server communication uses HTTPS. In production, the reverse proxy handles TLS termination with automatic certificate management.
Firewall Connections
SonicSaaS connects to managed firewalls over HTTPS. Because SonicWall firewalls commonly use self-signed TLS certificates, the platform supports these connections. The authentication layer compensates with challenge-response protocols (Digest or CHAP) that prevent credential exposure even without certificate verification.
Firewall Authentication Security
When connecting to managed firewalls, SonicSaaS uses the strongest available authentication method:
- Digest authentication (SHA-256/SHA-512) — challenge-response, preferred
- Public Key (RSA) — password encrypted with the device’s public key
- CHAP — challenge-response protocol, keeps credentials off the wire
- Basic — last resort only, with warnings logged
The platform automatically negotiates the strongest method each device supports and will not downgrade on authentication failure (preventing protocol downgrade attacks).
Automatic Database Migrations
The production container automatically applies pending database migrations on startup, ensuring the schema is always current before the application begins serving requests.
Environment Variable Security
Sensitive configuration is injected via environment variables, never hardcoded:
- Encryption keys, database credentials, and API secrets are all environment-based
- The application validates required secrets at startup and fails fast if they are missing or malformed
- Environment files are excluded from version control and from container images