PanelOrca Download Free

← Back to PanelOrca

Security Overview

Effective 12 May 2026

A practical summary of the security measures behind PanelOrca. We're a small team and we don't have third-party certifications yet — this page describes what is actually in place today.

Transport

  • All traffic to panelorca.com, app.panelorca.com, api.panelorca.com, and the admin panel runs over HTTPS
  • TLS certificates are issued and rotated automatically by Caddy via Let's Encrypt
  • HTTPS is enforced at the edge — non-TLS requests are redirected

Authentication

  • Passwords are hashed with bcrypt before storage — we never see plaintext passwords
  • Optional Google sign-in over OAuth 2.0; the state parameter is a short-lived signed JWT to prevent CSRF
  • Access tokens are short-lived JWTs; refresh tokens rotate and are revocable
  • Email verification is offered at signup
  • Password reset uses a single-use, time-limited token; all refresh tokens are revoked on a successful reset, signing you out of every device
  • You can change your password from your user settings at any time

Authorization

  • Every protected API endpoint validates the access token and the requested organization context (X-Organization-ID)
  • Project ownership, organization membership, and admin role are checked server-side — never trusted from the client
  • System admin actions are gated by a separate system_role='admin' flag and a dedicated admin UI on a non-public sub-path

Infrastructure

  • A single DigitalOcean Droplet in Singapore hosts the backend, the PostgreSQL database, the user portal, and the admin panel
  • PostgreSQL is bound to the loopback interface — it is not reachable from the public internet
  • Only ports 22 (SSH), 80, and 443 are exposed at the firewall (ufw) level
  • SSH login uses key authentication; password login is disabled for the deploy user
  • fail2ban protects SSH against brute-force attempts
  • Cloudflare sits in front of all hostnames and absorbs common attack traffic

Application practices

  • Per-request CORS — the API echoes a strict origin from a hard-coded allow-list rather than a permissive wildcard
  • Inputs are validated server-side; SQL is parameterized — no string concatenation into queries
  • Dependencies are pinned and updated regularly; security patches are applied as soon as they're available
  • Secrets (JWT signing keys, database credentials, Resend and Google client secrets) live in an env file on the host that is not committed to git
  • Server logs do not record passwords, tokens, OAuth fragments, or payment data

Email

  • Outbound transactional email is sent via Resend with SPF and DKIM configured on the domain
  • Inbound mail is handled by Cloudflare Email Routing and forwarded to a verified destination — no public mailbox is exposed
  • The DMARC record helps prevent spoofing of @panelorca.com by third parties

Backups and recovery

We back up the database on a regular schedule. Offsite, encrypted backups to an independent storage provider are planned and not yet in place. Until they are, please keep a local copy of any irreplaceable work — exporting from PanelOrca is always available to you.

What we don't have yet

Honesty matters more than buzzwords. As of today PanelOrca does not have:

  • SOC 2 / ISO 27001 / HIPAA / PCI-DSS certifications
  • A bug bounty programme (responsible disclosures are welcome by email — see below)
  • Single sign-on (SSO/SAML) for enterprises
  • Hardware security key (WebAuthn) login
  • Customer-managed encryption keys
  • A 24/7 on-call rotation

These will arrive as the product matures. If any of them is a hard requirement for you, please tell us — it helps us prioritise.

Reporting a vulnerability

If you discover a security issue, please email hello@panelorca.com with "Security" in the subject line. Please give us reasonable time to fix the issue before disclosing it publicly. We will acknowledge your report, work in good faith to address it, and credit you (or stay anonymous, your choice).