Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Encryption

Odin Scan employs encryption at every layer to protect your data in transit and at rest.

Data in Transit

All communication between clients and the Odin Scan API uses TLS 1.2 or higher. This applies to:

  • API requests from the GitHub Action to api.odinscan.ai
  • Dashboard access via odinscan.ai
  • Webhook deliveries from Polar.sh to the Odin Scan API

Plaintext HTTP connections are not accepted. All HTTP requests are redirected to HTTPS.

Data at Rest

Sensitive data stored by Odin Scan is encrypted using AES-256-GCM. This includes:

  • API keys
  • GitHub tokens (if temporarily held during analysis)
  • Subscription and billing identifiers

Non-sensitive data such as analysis results and finding metadata is stored in PostgreSQL and protected by database-level access controls and TLS-encrypted connections.

Webhook Verification

Incoming webhooks from Polar.sh (for subscription events) are verified using HMAC-SHA256 signature validation. Each webhook request includes a signature header that is checked against a shared secret before the payload is processed. Requests with invalid or missing signatures are rejected.

Database Connections

  • PostgreSQL: All connections use TLS encryption. The database is not accessible from the public internet.
  • Redis: Used for session caching and rate limiting. Connections are authenticated and encrypted.

Logging

Sensitive data is excluded from application logs and error responses. API keys, tokens, and encrypted fields are never logged in plaintext. The GitHub Action uses core.setSecret() to mask API keys in workflow logs.