Labitat

Appearance

Security

Labitat is secure by default.

Encryption

  • AES-256-GCM encryption for all stored service credentials
  • Encryption key is your SECRET_KEY environment variable
  • Back up your SECRET_KEY — without it, credentials are unrecoverable

Session Security

  • HTTP-only, secure session cookies via iron-session
  • No client-side access to session data

Security Headers

  • X-Frame-Options: DENY — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME sniffing
  • X-XSS-Protection: 1; mode=block — XSS filter
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Docker Security

  • Non-root user (UID 1001)
  • no-new-privileges security option enabled
  • Minimal base image
  • /tmp mounted as tmpfs (ephemeral)
  • Note: The container filesystem is not read-only (read_only: false) because Next.js standalone mode requires write access at runtime

Best Practices

  1. Always set a strong SECRET_KEY (32+ random characters)
  2. Use HTTPS in production (reverse proxy recommended)
  3. Keep Labitat updated
  4. Back up your database and SECRET_KEY

Released under the MIT License.

Copyright © 2026 Labitat Contributors