Skip to main content
Version: v4

overview

id: overview title: Security

Security

Harper uses role-based, attribute-level security to ensure that users can only gain access to the data they are supposed to be able to access. Granular permissions allow for unparalleled flexibility and control, and can lower the total cost of ownership compared to other database solutions, since you no longer need to replicate subsets of data to isolate use cases.

Authentication Methods

Harper supports three authentication methods:

  • Basic Authentication — Username and password sent as a Base64-encoded Authorization header on every request.
  • JWT Authentication — Token-based authentication using JSON Web Tokens. Clients authenticate once and receive short-lived operation tokens and longer-lived refresh tokens.
  • mTLS Authentication — Mutual TLS certificate-based authentication. Added in: v4.3.0

Certificate Management

Access Control

  • CORS — Cross-Origin Resource Sharing configuration.
  • SSL / HTTPS — Enabling HTTPS and configuring TLS for the HTTP server.
  • Users and Roles — Role-Based Access Control (RBAC): defining roles, assigning permissions, and managing users.

Security Philosophy

Harper's security model has two distinct layers:

Authentication determines who is making a request. Harper validates each request using one of the methods above, then resolves the caller to a known Harper user account.

Authorization determines what the caller can do. Each Harper user is assigned a role. Roles carry a permissions set that grants or denies CRUD access at the table and attribute level, in addition to controlling access to system operations.

For details on how roles and permissions work, see Users and Roles.

Default Behavior

Out of the box, Harper:

  • Generates self-signed TLS certificates at <ROOTPATH>/keys/ on first run.
  • Runs with HTTPS disabled (HTTP only on port 9925 for the Operations API). It is recommended that you never directly expose Harper's HTTP interface through a publicly available port.
  • Enables CORS for all origins (configurable).
  • Supports Basic Auth and JWT Auth by default; mTLS must be explicitly configured.