Skip to content

Security model

  • Password hashing and one-hour web sessions through Better Auth.
  • Optional TOTP two-factor authentication.
  • Role separation between owner, administrator and VPN user.
  • Per-device VPN identities and revocation.
  • HMAC-digested INCY HWID binding for subscription refreshes.
  • Private PostgreSQL, Xray API and service-control networks.
  • Login and subscription rate limiting.
  • Temporary and permanent source-IP bans managed by a narrow security agent.
  • Thirty-day audit retention and seven-day automatic security-event cleanup.
  • Secret scanning in continuous integration.

NoxRouteNeo does not enable destination-level access logging to build a browsing history. It does not store visited URLs, DNS queries or requested website names.

It does retain operational information required to run the appliance, including accounts, registered devices, aggregate transfer, connection time, audit events, source addresses for web security events and recent service health.

  • Keep the VPS operating system and NoxRouteNeo release current.
  • Use a unique owner password and enable TOTP.
  • Limit SSH access and disable password-based root SSH when possible.
  • Restrict provider firewall rules to required ports.
  • Back up data and test restoration.
  • Review provider terms, local law and abuse reports.
  • Revoke lost devices and former users promptly.

Report vulnerabilities privately using the process in SECURITY.md. Do not publish working exploits or real deployment secrets in a public issue.