We’re building Cachoid with security in mind from the onset. Our goal is to limit the surface exposure down to the veriest minimum. This includes, but is not limited, to picking services, tools, and practices that have had good security parcours.
First things first, your account at Cachoid is TLS/SSL protected. This is so your Warp password, token, API access key, and information is never sent in the clear (cannot be intercepted on its way in and out of your computer). At no time do we send unencrypted information. Second, you can enable two-factor authentication (2FA) in your profile so your account is further secured.
Each one of your cachoids is an isolated, virtualized instance running Linux (OS-based container). The container has its own memory, processes, IP (internal), and services. The only inward-outward facing service being Varnish. Also, Varnish Cache (child) runs as a unpriviledged user in the system to limit privilege escalation.
The container collects Varnish stats, access logs, Modsecurity audit logs, and SAR (System Activity Report) data. Logs are transferred via TLS, stored in encrypted private S3 buckets at rest (server-side encryption) and can be retrieved via TLS on-demand from Warp. You can also opt out of access logs and Modsec logs collection, which we honor by not collecting them. Disabling logs results in the deletion of all access and Modsec logs collected by us thus far (if any). You can also delete specific access logs via the Cachoid control panel.
Cachoid integrates Modsecurity and makes OWASP security rules available to you right off the Cachoid control panel. Modsecurity can run in DetectionOnly (default mode) as well as the On mode. It is set to DetectionOnly so you can review the effectiveness and/or intrusiveness of security rules before you put them live. You can also exclude security rules right from the Cachoid app should they register false-positives with your app.
Cachoid is SSL/TLS ready. You can enable SSL/TLS for your cachoid by either bringing in your own certificate or you get one from us. There are a few implementations of SSL termination and proxying (upstream). We picked the strongest one, which is end to end encryption. Meaning we don’t just terminate client-to-Cachoid SSL; we can communicate over TLS with your actual server (origin) if you have SSL installed/enabled (i.e Cachoid-to-client SSL). Your SSL/TLS certificate is stored in our database encrypted, at rest.
The Cachoid API queries, which you have access to, are always served over SSL via an API access key. You can revoke this key at any time via the control panel. You can also reset it to a new one via Warp should you need to do that. You can also disable the API completely if you don’t have a need for it.
Because security is continuous process, we are all ears when it comes to suggestions to improve our infrastructure and processes. Please do contact us should you have a suggestion!