Enterprise Security
Security Built In, Not Bolted On
FLIN is built on Rust — the world's most secure systems language. Memory safety, encryption, authentication, and guards are first-class citizens.
Foundation
Powered by Rust
Memory-safe, thread-safe, and blazingly fast
Rust: Zero-Cost Safety
FLIN's core is written in Rust, inheriting decades of memory safety research. No garbage collector, no runtime overhead — just blazing-fast, secure code.
No Buffer Overflows
Bounds checking at compile time
No Null Pointers
Option<T> enforces null safety
No Data Races
Ownership model prevents races
No Use-After-Free
Borrow checker prevents dangling pointers
No Memory Leaks
RAII guarantees cleanup
Thread Safety
Send/Sync traits enforce safety
Access Control
Guards System
Declarative route protection in one line
Built-in Guards
// Authentication required
guard auth
// Role-based access
guard role("admin", "editor")
// Rate limiting (100 req/min)
guard rate_limit(100, 60)
// CSRF protection
guard csrf
// API key validation
guard api_key
// IP whitelist (CIDR)
guard ip("192.168.1.0/24")
// Time-based access
guard time("09:00", "17:00")
// HTTP method restriction
guard method("GET", "POST")Custom Guards
// Define your own guards
guard_definition premium_user {
user = auth_user()
if user.plan != "premium" {
fail 403 "Premium required"
}
}
// Parametric guards
guard_definition min_age(age) {
user = auth_user()
if user.age < age {
fail 403 "Age restricted"
}
}
// Use your custom guard
route GET /premium {
guard premium_user
guard min_age(18)
response.ok({ content: "..." })
}
Authentication
Auth Made Simple
JWT, OAuth2, 2FA — all in one line
🔐
Password Hashing
Argon2id — winner of the Password Hashing Competition. Memory-hard, resistant to GPU attacks.
// Hash password
hash = argon2_hash(password)
// Verify
if argon2_verify(password, hash) {
// Login successful
}
🎫
JWT Tokens
Stateless authentication with automatic expiration and verification.
// Create token (1 hour)
token = jwt_create({
user_id: user.id,
role: "admin"
}, secret, 3600)
// Verify token
claims = jwt_verify(token, secret)
// Check expiration
if jwt_is_expired(token) { ... }
🌐
OAuth2 / Social
Google, GitHub, Discord — one-liner social login with PKCE.
// One-line Google login
route GET /auth/google {
redirect(auth_google_login())
}
// Handle callback
route GET /auth/google/callback {
user = auth_google_callback()
// user.email, user.name, etc.
}
📱
Two-Factor Auth (TOTP)
// Generate secret
secret = totp_secret()
// Generate QR code
qr = totp_qr(secret, "[email protected]", "MyApp")
// Verify 6-digit code
if totp_verify(code, secret) {
// 2FA passed
}
// Backup codes
codes = backup_codes_generate()
💬
WhatsApp OTP
// Send OTP via WhatsApp
result = whatsapp_send_otp(
"+1234567890",
"Your code is: {code}"
)
// Verify OTP
if whatsapp_verify_otp(phone, code) {
// Phone verified
}
Cryptography
Military-Grade Encryption
AES-256-GCM, secure random, and more
AES-256-GCM Encryption
// Generate 256-bit key
key = secure_random(32)
// Encrypt data
ciphertext = encrypt(data, key)
// Decrypt data
plaintext = decrypt(ciphertext, key)
// Authenticated encryption
// (integrity + confidentiality)Secure Random & CSRF
// Cryptographic random (base64)
token = secure_random(32)
// UUID v4
id = generate_uuid()
// CSRF token (forms)
csrf = csrf_token()
// Constant-time verification
if csrf_verify(submitted, stored) {
// Safe from timing attacks
}
Protection
Headers & Rate Limiting
Defense in depth, out of the box
Security Headers
// All recommended headers
headers = security_headers()
// Content Security Policy
csp = set_csp({
default_src: "'self'",
script_src: "'self' 'unsafe-inline'"
})
// CORS
cors = set_cors_headers({
origins: ["https://example.com"],
methods: ["GET", "POST"]
})
// HSTS (1 year)
hsts = set_hsts(31536000)
// X-Frame-Options
frame = x_frame_options("DENY")Rate Limiting
// Check & increment
result = rate_limit("api:user:123", 100, 60)
// { allowed: true, remaining: 99, reset_at: ... }
// Check without incrementing
status = rate_limit_check(key, 100, 60)
// Rate limit by IP
rate_limit_ip(request.ip, 1000, 3600)
// Rate limit by user
rate_limit_user(user.id, 500, 3600)
// Reset limit
rate_limit_reset(key)
// Get headers
headers = rate_limit_headers(remaining, limit, reset)
Validation
43 Built-in Validators
Automatic request validation with detailed errors
route POST /api/users {
validate {
email: text @required @email
password: text @required @min(8) @max(128)
age: int @min(18) @max(120)
role?: text @one_of("user", "admin") @default("user")
website?: text @url
phone?: text @phone
avatar: file @image @max_size("5MB")
}
// Validation passed, create user
user = User.create(body)
response.created(user)
}Available Validators
@required
@email
@url
@phone
@uuid
@min(n)
@max(n)
@range(a,b)
@regex(pattern)
@one_of(...)
@default(v)
@credit_card
@ip
@ipv4
@ipv6
@slug
@alphanumeric
@image
@document
@max_size(s)
@extension(...)
+22 more
Middleware
Request Pipeline
Intercept and transform requests at any level
// app/_middleware.flin - Applies to all routes
middleware {
// Add security headers
set_header("X-Content-Type-Options", "nosniff")
// Log request
log("Request:", request.method, request.path)
// Continue to next middleware/handler
next()
// Post-handler (runs after route)
log("Response:", response.status)
}
// app/api/_middleware.flin - API routes only
middleware {
// Check API key
if !request.headers["X-API-Key"] {
response {
status: 401
json: { error: "API key required" }
}
}
next()
}
Secrets
Secrets Management
Secure environment variables and secret files
Environment Variables
// Get env variable
api_key = env("API_KEY")
// With default value
port = env_or("PORT", "3000")
// Check if exists
if env_exists("DEBUG") {
// Enable debug mode
}Secret Files
// Read from .secrets/
db_password = secret("database_password")
// Path traversal protection
// secret("../etc/passwd") -> ERROR
// Files in .secrets/ are:
// - Auto-added to .gitignore
// - Never logged or exposed
Battle-Tested
2,855+ Security Tests
Every security feature is thoroughly tested
2,176
Unit Tests
679
Integration Tests
75
Security Tests
62
Guard Tests
At a Glance
Security Features
| Category | Feature | Status |
|---|---|---|
| Core | Rust Memory Safety | ✔ |
| Encryption | AES-256-GCM | ✔ |
| Passwords | Argon2id Hashing | ✔ |
| Auth | JWT Tokens | ✔ |
| Auth | OAuth2 + PKCE (Google, GitHub, Discord) | ✔ |
| Auth | Two-Factor (TOTP + Backup Codes) | ✔ |
| Auth | WhatsApp OTP | ✔ |
| Guards | auth, role, rate_limit, csrf, api_key, ip, time, method | ✔ |
| Guards | Custom Guard Definitions | ✔ |
| Headers | CSP, CORS, HSTS, X-Frame-Options | ✔ |
| Protection | Rate Limiting (IP, User, Key) | ✔ |
| Protection | CSRF Protection | ✔ |
| Validation | 43 Built-in Validators | ✔ |
| Validation | File Upload Validation (size, type, extension) | ✔ |
| Secrets | Path Traversal Protection | ✔ |