Security Overview

Last updated: February 2026

1. Introduction

M00N Report takes security seriously. This document provides an overview of the security architecture, controls, and practices implemented in M00N Report to protect your data. Whether you use our cloud-hosted service or deploy M00N Report on your own infrastructure, security is built into every layer of the platform.

2. Architecture Overview

M00N Report follows a layered architecture with dedicated security controls at each level:
  • Web Application - Served over HTTPS. All sensitive operations happen via authenticated API calls.
  • API Layer - RESTful API with JWT-based authentication, role-based access control, and input validation on every endpoint.
  • Ingest Layer - Dedicated endpoint for receiving test results from CI/CD pipelines, authenticated via scoped API keys.
  • Database - Primary data store with Row-Level Security (RLS) for tenant isolation.
  • Object Storage - Stores test artifacts (screenshots, videos, traces). Access controlled via presigned URLs with limited expiry.

3. Multi-Tenant Data Isolation

M00N Report enforces strict tenant isolation at the database level using PostgreSQL Row-Level Security (RLS). This means:
  • Every data query is automatically scoped to the requesting organization - enforced by the database engine, not just the application layer.
  • One organization can never access, view, or modify another organization's data, even in the event of an application-level bug.
  • RLS policies are applied to all tenant-scoped tables: projects, test runs, test cases, launches, tags, folders, and artifacts.
  • Administrative operations (migrations, schema changes) use a separate connection with explicit bypass, which is never exposed to user-facing code.

4. Authentication & Authorization

JWT Authentication: All API requests are authenticated using JSON Web Tokens (JWT) with configurable expiration. Tokens are validated on every request and contain the user's identity and organization context.
Role-Based Access Control (RBAC): Users are assigned roles within their organization:
  • Admin - Full access to organization settings, user management, API keys, integrations, and all data.
  • Manager - Can manage projects, test cases, releases, and view all reports.
  • Viewer - Read-only access to dashboards, test results, and reports.
SSO / Single Sign-On: Organizations can configure SSO via OIDC or SAML with identity providers including Okta, Azure AD, Google Workspace, Auth0, and custom OIDC-compliant providers. SSO enforces your organization's own authentication policies (MFA, password complexity, session duration).
Social Login: Optional authentication via Google OAuth 2.0. Only minimal profile information (email, name, avatar) is received from the provider.
API Key Authentication: The ingest service uses organization-scoped API keys. Keys can be created, rotated, and revoked by organization administrators. Each key is scoped to a specific project.

5. Encryption

In Transit: All communications are encrypted using TLS 1.2 or higher. This applies to:
  • Browser-to-API connections (HTTPS)
  • CI/CD pipeline-to-ingest service connections
  • Database connections (SSL enforced)
  • Object storage connections
At Rest: Sensitive data is encrypted at rest:
  • User passwords are hashed using bcrypt with per-user salts.
  • Integration credentials (Jira OAuth tokens, SMTP passwords) are encrypted using AES-256-GCM.
  • Database encryption is available via the hosting provider's disk/volume encryption (AES-256 with KMS for AWS deployments).
  • Object storage supports server-side encryption (SSE) for stored artifacts.

6. Input Validation & Injection Prevention

All API inputs are validated before processing. The following protections are in place:
  • SQL Injection Prevention: All database queries use parameterized statements ($1, $2, ...). No SQL is ever constructed via string concatenation.
  • XSS Prevention: React's built-in DOM sanitization prevents cross-site scripting. User-generated content is escaped before rendering.
  • Request Validation: API endpoints validate request bodies, query parameters, and path parameters with strict type checking.
  • Rate Limiting: API and ingest endpoints enforce rate limits to prevent abuse and denial-of-service attacks.

7. Artifact Security

Test artifacts (screenshots, videos, Playwright traces, logs) are stored in S3-compatible object storage with the following security controls:
  • Artifacts are never publicly accessible. All access is via presigned URLs with a 24-hour expiry.
  • Artifact access is scoped to the owning organization via RLS - users can only access artifacts belonging to their organization.
  • Direct bucket access is blocked; only the API can generate presigned URLs for authenticated users.
  • Artifacts are organized by organization and project, ensuring logical and physical separation.

8. Network Security

For cloud and self-hosted deployments, the following network security practices are recommended and supported:
  • VPC Isolation: Application services run in private subnets. Only the load balancer is exposed to the internet.
  • Security Groups: Strict ingress/egress rules limit traffic to only necessary ports and protocols.
  • Database Isolation: Database and cache instances are deployed in isolated subnets with no public access.
  • WAF (Optional): AWS WAF or equivalent can be enabled for additional protection against common web exploits (OWASP Top 10).
  • No SSH Access: Containerized deployments (ECS Fargate, Kubernetes) have no SSH access by design.

9. Integrations & Outbound Data

M00N Report supports optional integrations with third-party services. All integrations are opt-in and configured by organization administrators. Data flows are outbound-only unless otherwise noted:
Slack / Microsoft Teams / Discord / Telegram Webhooks: Outbound-only. M00N Report sends HTTP POST requests to webhook URLs configured by your organization. Only test run summary data (run name, pass/fail counts, link to report) is sent. No Slack OAuth scopes or workspace access is requested. Webhook URLs are stored encrypted at rest.
Email Notifications (SMTP): Outbound-only. Notifications are sent via SMTP servers configured by your organization. SMTP credentials are encrypted using AES-256-GCM at rest.
Jira / Atlassian: Optional two-way integration via OAuth 2.0. When enabled, test details and error information can be sent to Jira to create or link issues. OAuth tokens are encrypted at rest. The integration can be revoked at any time, and all cached Jira data is permanently deleted upon disconnection.
SSO Identity Providers: Authentication flows (OIDC/SAML) are conducted with your organization's identity provider. Only claims necessary for authentication and profile information are received.

10. Self-Hosted Deployments

M00N Report is available as a self-hosted solution, giving you complete control over your data and infrastructure:
  • All data remains on your infrastructure - no data is transmitted to M00N Report' servers (except optional license validation).
  • Deployment options include Docker Compose, Kubernetes (Helm charts), AWS (Terraform), and DigitalOcean.
  • You control network policies, firewall rules, encryption keys, and backup schedules.
  • Self-hosted deployments receive the same security features as the cloud version: RLS, JWT auth, RBAC, encrypted credentials, and presigned artifact URLs.

11. Audit & Logging

M00N Report maintains audit trails for security-relevant events:
  • SSO authentication events are logged with IP addresses and user agents.
  • Test case changes are tracked with full history (who changed what, when).
  • API key creation, rotation, and revocation are logged.
  • Integration connection and disconnection events are recorded.
  • For AWS deployments, CloudTrail, VPC Flow Logs, and GuardDuty can be enabled for infrastructure-level auditing.

12. Compliance

M00N Report's architecture supports compliance with common regulatory frameworks:
GDPR: Data encryption at rest and in transit, tenant isolation via RLS, audit logging, data deletion capabilities, right to access via API export, and self-hosted option for data sovereignty.
SOC 2: Access controls (IAM, RBAC), encryption (KMS), centralized logging (CloudWatch, CloudTrail), multi-AZ availability, and infrastructure-as-code (Terraform) for change management.
Data Residency: Self-hosted deployments allow you to keep all data within your preferred geographic region. Cloud deployments can be configured for specific regions upon request.

13. Vulnerability Management

We follow responsible security practices to identify and remediate vulnerabilities:
  • Dependencies are regularly reviewed and updated to address known vulnerabilities.
  • Container images are built from minimal base images to reduce attack surface.
  • Security-related issues are prioritized and addressed promptly.
  • If you discover a security vulnerability, please report it responsibly to security@m00nreport.com.

14. Incident Response

In the event of a security incident, our response process includes:
  • Isolation: Affected systems are immediately isolated to prevent further impact.
  • Investigation: Logs and evidence are preserved for forensic analysis.
  • Notification: Affected customers are notified promptly with details about the incident, its impact, and remediation steps.
  • Remediation: Credentials are rotated, vulnerabilities are patched, and preventive measures are implemented.
  • Post-Mortem: A thorough review is conducted to prevent recurrence.

15. Contact

For security-related inquiries, vulnerability reports, or to request additional security documentation:
You may also wish to review our Privacy Policy, Terms of Service, and Cookie Policy for additional information.