PATRONHUBDEVS // SECURITY

Security is the product.

Not a feature. Not a checkbox. Every architectural decision across every PatronHubDevs tool is made with one question: what happens if this is compromised?

Cryptographic standards

AES-256-GCM

Authenticated encryption for all data at rest. GCM mode provides both confidentiality and integrity — tampering is detectable.

PBKDF2-HMAC-SHA256

Key derivation at 600,000 iterations (NIST SP 800-132 compliant). Brute-forcing a password requires serious compute investment.

HKDF

Hierarchical key derivation. One master key produces separate subkeys for encryption, signing, and authentication — compromise of one doesn't cascade.

RSA-4096

Used exclusively for license signing and verification. Private keys never ship with products; validation uses the public key only.

TOTP / RFC 6238

Time-based one-time passwords for the third factor in triple-layer authentication. Compatible with Authy, Google Authenticator, and any RFC 6238-compliant app.

Argon2 / bcrypt

Password hashing for administrative accounts. bcrypt at cost factor 13 for web auth; Argon2id where memory-hardness matters.

Triple-layer authentication (NoteArmor)

NoteArmor Pro enforces three independent authentication factors. All three must pass before any decryption occurs. Failure at any layer produces identical timing and output — an attacker cannot determine which factor failed.

FACTOR 01
Password

User passphrase run through PBKDF2-HMAC-SHA256 at 600,000 iterations. The derived key is never stored — only used in-memory during the session.

FACTOR 02
Keyfile

A physical file the user possesses. Its SHA-3-512 hash is mixed into the key derivation chain. Without the file, derivation produces a cryptographically unrelated key.

FACTOR 03
TOTP

RFC 6238 TOTP code from an authenticator app. Validated in constant time. Expired codes and replay attacks are rejected at the application layer.

Offline RSA-4096 licensing

Most commercial software validates licenses by calling a remote server. That means your software stops working if the company shuts down, if your network is restricted, or if the server is compromised. PatronHubDevs licenses validate entirely on-device.

  • License data is signed with an RSA-4096 private key. The product ships only the public key.
  • HWID fingerprinting binds each license to a specific machine. Copying the license file to another machine fails validation.
  • The validation logic is compiled to a Cython .pyd binary. It cannot be read as Python source code.
  • No network request is made during validation. Air-gapped environments are fully supported.
  • License revocation is handled by shipping an updated public key that no longer verifies old signatures.

Backend & web security

The PatronHubDevs.online backend has been audited against OWASP Top 10. Key controls:

Content-Security-Policy
Per-request nonce injection. Strict script-src with no unsafe-inline.
HSTS
2-year max-age, includeSubDomains, preload. Forces HTTPS on all connections.
Flask-Limiter
Rate limiting with Redis backend. Subscribe endpoint: 5 requests/hour per IP.
Flask-WTF CSRF
Synchronizer token on all state-changing forms. Standard double-submit pattern.
Input Validation
Slug sanitisation on URL params and strict type validation on all form inputs.
File Integrity Monitor
SHA-3-512 checksums on critical Python modules. Alerts on unexpected modification.
Async Security Alerts
High-severity events dispatch to BetterStack + SMTP in daemon threads.

Responsible disclosure

Found something? We want to know before anyone else does. Coordinated disclosure is handled directly — no bug bounty platform, no automated ticketing. You talk to the developer.

Report a Vulnerability Security Audit Services