QA Flow ships with sensible defaults that make local development frictionless, but those defaults are intentionally insecure and must be replaced before you expose the application to any network outside your own machine. This page walks through every security configuration step, explains the authentication model, and provides example reverse proxy configuration for TLS termination.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/davidG97/qa-flow/llms.txt
Use this file to discover all available pages before exploring further.
Pre-Deployment Checklist
Work through these steps in order before opening QA Flow to any users or networks beyond localhost:Set a strong JWT_SECRET
Generate a cryptographically random string of at least 32 characters and set it as the Or with Node.js:Copy the output and set it in your environment or
JWT_SECRET environment variable. The default value (change-me-in-production) is publicly known and must never be used outside a local development environment..env file:Change the default admin credentials
The default admin account (
admin@qaflow.com / admin123) is created automatically on first run. Log in immediately after deployment and change both the email address and password from the account settings. Do not skip this step — leaving the defaults in place is the single most common cause of unauthorised access.Configure HTTPS with a reverse proxy
QA Flow does not terminate TLS itself. Place a reverse proxy such as nginx, Caddy, or Traefik in front of it to handle HTTPS. See the nginx example below. Never serve QA Flow over plain HTTP on a public network.
Restrict network access
Bind port
3001 only to localhost or a private network interface. Use firewall rules or your cloud provider’s security groups to block direct public access to the port. All external traffic should flow through your reverse proxy over HTTPS.Use a durable, backed-up database
The default SQLite database stored in a Docker volume is convenient for development but should not be your only copy of data in production. Use Turso for a managed libsql cloud database, or connect to a PostgreSQL instance with regular backups using the
docker-compose.prod.yml overlay. See the Docker deployment guide for configuration details.JWT Authentication
Every QA Flow API endpoint except/api/auth/login and /api/auth/register requires a valid JSON Web Token. Tokens are issued by the login endpoint and must be included in the Authorization header of every subsequent request.
Obtain a token:
JWT_SECRET using a symmetric algorithm. If you rotate JWT_SECRET, all existing tokens are immediately invalidated and all users must log in again.
Role-Based Access Control
QA Flow enforces a two-level permission model: a system-level user role and a project-level membership role.ADMIN
Full system access. Can list and manage all users, access every project regardless of membership, and create or delete any resource. Assign this role only to trusted operators.
USER
Standard account. Can only access projects where they hold an explicit
ProjectMember record. Cannot see or interact with other users’ projects.Project Membership Roles
Within a project, access is governed by theProjectMember role:
| Role | Permissions |
|---|---|
OWNER | Full control — edit flow, manage members, delete project |
MEMBER | Read and execute — can view the canvas and run tests, but cannot modify the flow or manage members |
OWNER role automatically when they create a project. Additional members can be invited and assigned either role by any existing OWNER on the project.
Generating a Secure JWT_SECRET
- openssl
- Node.js
- Python
Reverse Proxy with nginx
The following nginx configuration terminates TLS and proxies requests to QA Flow running onlocalhost:3001. The Upgrade and Connection headers are forwarded to support the WebSocket connections used for real-time test execution streaming.
Vulnerability Reporting
If you discover a security vulnerability in QA Flow, please report it responsibly — do not open a public GitHub issue.GitHub Security Advisories
Preferred method. Go to the Security tab in the repository and click “Report a vulnerability” to submit a private advisory.
Response Timeline
Initial response within 48 hours, status update within 7 days, and a resolution target of 30 days depending on severity.