Skip to content

Security Features

Comprehensive documentation of security mechanisms in the Huh platform.

Security Standards: This platform follows industry best practices and aligns with the OWASP Top 10 web application security risks. For more information on web application security, refer to the OWASP Foundation.

Authentication & Authorization

JWT Authentication

  • Token-Based: Stateless JWT tokens for API authentication
  • Token Expiration: Configurable expiration time
  • Role Claims: User roles embedded in JWT tokens
  • Stateless Sessions: No server-side session storage

Password Security

  • BCrypt Hashing: Passwords hashed using BCryptPasswordEncoder (see OWASP Password Storage Cheat Sheet)
  • No Plaintext Storage: Passwords never stored in plaintext
  • Secure Random: Cryptographically secure random token generation

User Roles

  • ROLE_USER: Standard user with basic permissions
  • ROLE_ADMIN: Administrator with full system access
  • Role-Based Access Control: Endpoints protected by role requirements

Access Control List (ACL)

Permission Model

  • Granular Permissions: READ (1), WRITE (2), CREATE (4), DELETE (8), ADMIN (16)
  • Bit Masking: Integer bit masks for efficient permission storage
  • Permission Inheritance: WRITE permission implies READ access

ACL Features

  • User Permissions: Grant permissions to specific users
  • Role Permissions: Grant permissions to roles (e.g., all admins)
  • Owner Management: Automatic ownership assignment and management
  • Admin Override: ROLE_ADMIN always has full access to all resources
  • MongoDB Storage: ACL entries stored in MongoDB collections

ACL Implementation

  • AclEntry: Individual permission entries
  • AclObjectIdentity: Domain object identity mapping
  • AclSid: Security identity (users and roles)
  • Permission Checking: Runtime permission verification on all protected resources

User Invite-Only Function

Registration Control

  • Instance Setting: Administrators can disable public registration
  • Invite-Only Mode: When disabled, only invited users can register
  • Secure Tokens: Invitation tokens generated using secure random
  • Token Expiration: Invitation tokens expire after 7 days
  • One-Time Use: Tokens marked as used after acceptance

Invitation Flow

  1. Admin sends invitation via email
  2. User receives email with secure token link
  3. User accepts invitation, sets username and password
  4. Account automatically approved (invited users bypass approval queue)
  5. Token invalidated after use

Video Security

Authentication Mechanism

  • No Direct Access: Videos cannot be accessed without authentication
  • Token-Based Access: Short-lived tokens (10 minutes) required for video streaming
  • HTTP-Only Cookies: Video access tokens delivered via HTTP-only cookies
  • Cookie Security: Cookies set with httpOnly, sameSite=Lax, and path restrictions
  • Token Validation: Tokens validated on each video request

Download Protection

  • No Direct Downloads: Videos are not directly downloadable via URL
  • Streaming Only: Videos served via authenticated streaming endpoint
  • Range Request Support: HTTP Range requests supported for seeking
  • Token Verification: Each request validates token and transcription ID match

Video Deletion

Deletion Features

  • Manual Deletion: Users with DELETE permission can delete transcriptions
  • Automatic Cleanup: Scheduled deletion based on deleteAt timestamp
  • File Cleanup: Video files deleted from MinIO storage on transcription deletion
  • ACL Cleanup: ACL entries automatically removed when transcription deleted
  • Database Cleanup: Transcription records removed from MongoDB

Deletion Warnings

  • Email Notifications: Owners receive warnings before scheduled deletion
  • Configurable Timing: Warnings sent at configurable intervals before deletion
  • Multi-Owner Support: All owners receive deletion warnings

Data Privacy & Local Processing

Local services (core pipeline)

  • Transcription: Whisper-based workers run on your infrastructure; media and results stay on your network.
  • Translation: LibreTranslate runs on your infrastructure when deployed that way.
  • Analytics (optional): LLM-based analytics use Ollama on your network. The analytics worker sends transcript text to your Ollama API — not to public cloud LLM vendors. Network policies should restrict Ollama to trusted hosts only.
  • Speaker diarization: Runs on the transcription worker. Model weights may be baked into your images or cache; runtime audio does not go to a third-party “speech API” product.

Browser recording

  • The browser captures microphone/camera only for the user session; media is sent to your Huh backend in chunks over TLS in production.
  • Chunks are written to your server storage (and database metadata) until the user finalizes or discards the session. Treat this like any other sensitive upload path (HTTPS, access control, retention).

Supervision comments

  • Stored in your MongoDB with the transcription. No external “collaboration SaaS” is involved. Anyone who can read the transcription can read its supervision thread (see product docs).

What “local” does not mean

  • Identity (Keycloak) and email use your configured servers and SMTP; that is expected and still under your control.
  • Build-time tools (e.g. downloading open weights with a Hugging Face token when building worker images) are separate from runtime confidentiality; operators should protect CI logs and image caches.

Privacy guarantees (deployment-dependent)

  • On-premises / private cloud: When all services (Huh, workers, MongoDB, MinIO, RabbitMQ, LibreTranslate, Ollama) run on hardware you operate, audio, video, transcripts, analytics inputs/outputs, and supervision data stay within that environment.
  • Data sovereignty: You choose regions, backups, and who has admin access.
  • Compliance: Map the above components to your policies (encryption at rest, backup, DLP, etc.); the application does not by itself certify a compliance regime.

Spring Boot Security Features

Security Configuration

  • CSRF Protection: Disabled for API (using stateless JWT authentication)
  • CORS Configuration: Configurable cross-origin resource sharing
  • Stateless Sessions: SessionCreationPolicy.STATELESS for JWT-based auth
  • Method Security: @EnableMethodSecurity for method-level authorization
  • Filter Chain: Custom JWT and API key authentication filters

Security Filters

  • JwtAuthenticationFilter: Validates JWT tokens from Authorization header
  • ApiKeyAuthenticationFilter: Optional API key authentication for service-to-service
  • Filter Ordering: Filters applied before standard Spring Security filters

Endpoint Protection

  • Public Endpoints: /api/auth/**, /actuator/**, /ws/**, OPTIONS requests
  • Authenticated Endpoints: Most API endpoints require authentication
  • Admin-Only Endpoints: /api/users/**, /api/instance-settings/** require ROLE_ADMIN
  • Video Endpoints: Cookie-based authentication handled in controller

Additional Security

Security Best Practices

  1. Never Log Passwords: Passwords never logged or exposed in error messages
  2. Token Expiration: Short-lived tokens for sensitive operations (see OWASP Session Management Cheat Sheet)
  3. Email Enumeration Prevention: Generic messages for password reset requests
  4. Secure Random: Cryptographically secure random for all tokens
  5. HTTP-Only Cookies: Prevents JavaScript access to authentication cookies (see OWASP Cookie Security)
  6. Role-Based Access: Fine-grained access control at endpoint and resource levels (see OWASP Access Control Cheat Sheet)
  7. ACL Verification: Permission checks on every resource access
  8. Admin Approval: New users require admin approval before system access

Additional Resources