Two-factor authentication
Add a TOTP authenticator (Google Authenticator, Authy, 1Password) with single-use recovery codes. Your 2FA secret is encrypted at rest.
Security by design
Built to be safe to point at production
ComposeBastion runs on your own infrastructure and never asks for arbitrary shell access. Every credential is encrypted, every action is typed and audited.
Your servers stay yours
No arbitrary shell. No secrets in the clear.
ComposeBastion issues typed, allowlisted Docker commands — never raw host shell — and encrypts every credential at rest. The optional agent only accepts bearer-authenticated Docker operations.
✓ SSH keys & registry passwords encrypted at rest
✓ Typed job actions — no arbitrary shell
✓ Origin-checked mutations + rate limits
✓ Agent: bearer-auth Docker ops only
✓ Webhook SSRF guard blocks private targets
Encrypted credentials
SSH private keys and registry logins are encrypted with your APP_SECRET.
Typed Docker ops
Allowlisted job actions instead of arbitrary host commands.
RBAC + audit
Owner/admin/operator/viewer roles with every action audited.
Hardened web layer
Security headers, SameSite cookies, credentialed CORS limited to same-origin + your config.
Masked secrets
Container inspect redacts env values for viewers; sessions never expose token hashes.
Backup key rotation
Encrypted backups support rotating archive keys without re-entering host credentials.
Your ComposeBastion account
Locked down by default
The account you create here is protected with the same care as the product itself.
Hardened sign-in
Passwords are bcrypt-hashed, logins are rate-limited and constant-time, and a password reset signs out every other session.
Verified email + reset
Email verification on sign-up and self-service password reset, with single-use, expiring links — and your card details never touch our servers.
Get in touch
Bring order to your Docker fleet
Self-host it on your homelab today, or tell us about your business setup and we'll get you early access with founder pricing.