Security isn't
an afterthought.
FeatherPanel handles credentials, server access, and infrastructure commands. We take that responsibility seriously from the cipher choices in MythicalCore to the permissions model on every API route.
Found a vulnerability?
Please disclose responsibly do not post publicly. Email [email protected] with a detailed description. We aim to acknowledge within 24 hours.
Built-In Security
Every layer
hardened by default.
Security is part of the MythicalCore framework, not a plugin. These protections apply to every FeatherPanel installation automatically.
XChaCha20 Encryption
All sensitive data at rest is encrypted using XChaCha20-Poly1305 via MythicalCore. This is the same cipher family used by modern VPN protocols and NaCl-based cryptographic systems.
TLS 1.3 in Transit
All communication between the panel, daemon, and clients is enforced over TLS 1.3. Legacy protocol versions are rejected. HSTS is applied on all official cloud deployments.
CSRF Protection
Every state-mutating request in FeatherPanel is protected by cryptographically signed CSRF tokens. Cross-origin requests cannot modify panel state.
CloudFlare Turnstile
Login and sensitive forms are protected by CloudFlare Turnstile a privacy-respecting bot challenge that doesn't degrade user experience with CAPTCHAs.
Two-Factor Authentication
TOTP-based 2FA is available for all panel accounts. Administrators can enforce 2FA across their entire user base via panel settings.
Full Audit Logging
Every administrative action server creation, config change, user modification, API call is recorded in a tamper-evident audit log with timestamp and actor.
Hardening Details
Defense in depth,
not just perimeter.
Each layer of the stack applies its own security controls. A breach at the network layer doesn't automatically grant access to the application layer and vice versa.
- Secrets stored separately from panel configuration, never in version control
- Daemon communication authenticated with signed tokens, not shared passwords
- Role-based access control scopes all user permissions at the database level
- SQL injection protection via parameterized queries throughout MythicalCore
- File manager sandboxed to server directory no arbitrary filesystem traversal
- Outbound webhook payloads signed with HMAC-SHA256 for recipient verification
Security Log
Transparent about
what we've fixed.
Security improvements are documented publicly. We don't quietly ship fixes we explain what changed and why.
v1.0 Security Audit
Internal security review conducted prior to public release. Critical paths reviewed for injection, auth bypass, and privilege escalation.
CSRF Hardening Pass
Additional CSRF token scope narrowing applied to all API routes following community security review.
TLS Policy Enforcement
TLS 1.0/1.1 sunset enforced across all official cloud deployments. Self-hosted docs updated with hardening guide.
Zero-Trust Daemon Auth
Daemon authentication rearchitected to short-lived signed tokens, eliminating long-lived shared secrets between panel and node.
Responsible Disclosure
Report it to us
before anyone else.
If you discover a security vulnerability in FeatherPanel, MythicalCore, or any related MythicalSystems infrastructure please tell us privately first.
Email [email protected] with a clear description of the issue, how to reproduce it, and any supporting material. We will acknowledge your report within 24 hours and provide a resolution timeline within 72 hours.
We do not pursue legal action against researchers who disclose responsibly and in good faith.