tnnlSecurity
tnnl is account-controlled by design. Access is invite-only, credentials are hashed, sessions are short-lived and revocable, and all traffic is encrypted in transit.
Accounts
tnnl is invite-only — there is no public registration. A superadmin provisions each user. Passwords are hashed with Argon2, a new password is required on first login, and passwords must be 8–30 characters.
Sessions
Sessions use opaque 256-bit tokens with a 30-day expiry. Only a SHA-256 hash of each token is stored in the database, so a database leak never exposes a usable token. Sessions are per-device and revocable, and changing your password revokes all other sessions.
Login protection
Login is constant-time, so it does not reveal which emails exist. On top of that there is per-IP rate limiting plus per-account lockout with exponential backoff after repeated failures.
CLI login
Logging in from the CLI uses a browser-based, OAuth-style flow protected with PKCE. The one-time code is bound to a verifier that the CLI holds, and the session is only minted at the exchange step — so an intercepted code is useless on its own.
Transport
All traffic is TLS. Subdomains are served with a wildcard certificate, and custom domains get certificates on-demand. See Custom domains.
Dashboard hardening
The dashboard ships with a strict set of protections:
- Content-Security-Policy and HSTS
X-Frame-Options: DENYandX-Content-Type-Options: nosniff- A strict Referrer-Policy and a minimal Permissions-Policy
- A stateless CSRF origin check on mutating API requests, plus SameSite cookies
Request logs
Captured request logs are in-memory only, off by default, bounded, and never persisted to disk. See Request inspection.
Reporting
Found a security issue? Please report it by email to human.aow.official@gmail.com.