This document describes the current security implementation in Semiont and provides guidance for secure deployment and operation.
Semiont currently implements authentication using NextAuth.js with support for:
- Google OAuth: Secure authentication via Google Identity Platform (production environments)
- Development Mode: Simplified authentication for local development (NODE_ENV=development only)
- Session Management: JWT-based session handling with configurable expiration
The current implementation includes:
- Authenticated Sessions: All API endpoints require valid authentication tokens (except in development mode)
- JWT Token Validation: Bearer token authentication for API access with Zod-based payload validation
- User Identification: Each request includes user context for audit trails
Note: Fine-grained role-based access control (RBAC) is planned for future releases. Currently, all authenticated users have equal access to application features.
- Environment Variables: Sensitive configuration stored in environment variables
- HTTPS in Production: TLS encryption for all production traffic (when deployed behind a reverse proxy)
- Input Validation: Zod schemas for request/response validation
- SQL Injection Prevention: Parameterized queries via Prisma ORM (when using SQL databases)
- Local File Storage: Documents stored in configurable directory (
SEMIONT_ROOT) - Database: Support for multiple graph databases (Neo4j, JanusGraph, InMemory)
- Connection strings should be kept secure
- Use environment variables for database credentials
# Required environment variables (keep secure)
export NEXTAUTH_SECRET="<strong-random-string>"
export NEXTAUTH_URL="https://your-domain.com"
export GOOGLE_CLIENT_ID="<oauth-client-id>"
export GOOGLE_CLIENT_SECRET="<oauth-client-secret>"
export DATABASE_URL="<your-database-connection-string>"- Use HTTPS: Always deploy behind a reverse proxy with TLS termination
- Set NODE_ENV: Ensure
NODE_ENV=productionto disable development shortcuts - Secure Secrets: Use a secrets management system for sensitive configuration
- Network Security: Deploy backend services in private networks when possible
- Regular Updates: Keep dependencies updated with security patches
| Feature | Development | Production |
|---|---|---|
| Authentication | Optional/Simplified | Required (OAuth) |
| HTTPS | Optional | Required |
| Error Details | Full stack traces | Generic error messages |
| Debug Logging | Enabled | Disabled |
| CORS | Permissive | Restrictive |
- OAuth Configuration: Configure OAuth providers with appropriate redirect URIs
- Domain Restrictions: Limit OAuth to specific email domains if needed
- Session Timeout: Configure appropriate session expiration times
- API Keys: Rotate API keys and secrets regularly
- Monitor authentication failures
- Track API usage patterns
- Review error logs for security-related issues
- Set up alerts for suspicious activities
- Backups: Implement regular backup procedures for data and configurations
- File Permissions: Ensure proper file system permissions on
SEMIONT_ROOT - Database Security: Follow database-specific security guidelines
- Audit Trails: Retain logs for security analysis
The following security features are not yet implemented and are planned for future releases:
- Fine-grained role-based access control (RBAC)
- Resource-level permissions
- Automated vulnerability scanning
- End-to-end encryption for stored documents
- Multi-factor authentication (MFA) beyond OAuth provider support
- Comprehensive audit logging
- Data loss prevention (DLP) policies
- Basic role system (admin/user)
- Enhanced audit logging
- Full RBAC implementation
- Resource-level permissions
- Advanced threat detection
- Enterprise compliance features (SOC2, GDPR)
- Advanced security analytics
- Zero-trust architecture
If you discover a security vulnerability in Semiont:
- Do not create a public GitHub issue
- Email security details to the maintainers
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
- Never commit secrets or credentials
- Use environment variables for configuration
- Follow secure coding practices
- Validate all user inputs
- Handle errors securely (don't leak sensitive info)
- Keep dependencies updated
Before deploying:
# Check for known vulnerabilities
npm audit
# Update dependencies
npm update
# Run security linters (if configured)
npm run lintSemiont is an open-source project and is provided "as-is". Organizations deploying Semiont are responsible for:
- Implementing appropriate security controls for their use case
- Ensuring compliance with relevant regulations
- Performing security assessments
- Maintaining secure configurations
Last Updated: September 2025
For the latest security updates and patches, see the GitHub repository.