← All posts

Security at BoltHash

Apr 3, 2026BoltHash securityEd25519SHA-256

Security is fundamental to BoltHash. We protect your software with cryptographic guarantees and protect your account with defense-in-depth infrastructure security.

1. Code Protection Security

Zero-Knowledge Architecture

Your source code never leaves your machine. The BoltHash CLI performs all obfuscation, signing, and integrity hashing locally. The server only receives metadata — license keys, project settings, and device fingerprint hashes.

Ed25519 Digital Signatures

Every protected build is signed with an Ed25519 keypair unique to your project. The private key is embedded in the binary during the build process. On startup, the runtime verifies the signature to ensure the code has not been tampered with.

SHA-256 Integrity Hashing

Before obfuscation, the canonical hash of your entry file's AST is computed. After obfuscation, the output hash is signed and stored in integrity.json. Any modification — even a single byte — causes verification failure at runtime.

Hardware Fingerprinting

License activations are bound to a hardware fingerprint (CPU, disk serial, MAC address hash). This prevents unauthorized redistribution of license keys. A configurable grace period allows end-users to migrate to new hardware.

2. Infrastructure Security

Transport Security

  • All API traffic encrypted with TLS 1.3
  • HSTS headers enforced on all responses
  • CORS restricted to authorized origins

Authentication

  • Passwords hashed with bcrypt (cost factor 12)
  • JWT tokens with configurable expiry
  • Rate limiting on authentication endpoints
  • Brute-force protection via progressive lockout

Application Security

  • Helmet.js security headers on all responses
  • SQL injection prevention via parameterized queries
  • Input validation on all API endpoints
  • No eval() or dynamic code execution in the server
  • No shell: true in child process spawning

3. Vulnerability Disclosure

If you discover a security vulnerability in BoltHash, please report it responsibly:

  • Email: security@boltopen.com
  • Include steps to reproduce the issue
  • Allow 48 hours for initial response
  • Do not publicly disclose until a fix is released

We acknowledge all valid reports and credit researchers in our changelog (with permission).

Last updated: April 2026