Platform Security
CTFFactory is designed with security as a core requirement, not an afterthought. This page documents the security controls in place to protect accounts, workspaces, data, and platform integrity.
Multi-Factor Authentication (MFA)
All CTFFactory accounts support MFA using time-based one-time passwords (TOTP) compatible with any RFC 6238βcompliant authenticator app (e.g., Google Authenticator, Authy, 1Password).
- MFA can be enabled by any user from Account Settings > Security > Two-Factor Authentication.
- Workspace Owners can enforce MFA for all workspace members from Workspace Settings > Security. Once enforced, members who have not enrolled MFA are required to do so on their next login before accessing any workspace resource.
- When SSO is enabled, MFA enforcement is delegated to the corporate IdP. CTFFactory does not apply a separate TOTP challenge for SSO-authenticated sessions.
Recovery codes are generated at MFA enrollment time. Users should store these in a secure location. Lost MFA devices can be recovered via support after identity verification.
Session Management
CTFFactory web sessions are protected by the following controls:
| Control | Detail |
|---|---|
| Session token entropy | 256-bit randomly generated session identifiers |
| Session storage | Server-side only; no session state is stored in the browser beyond a signed cookie |
| Cookie attributes | HttpOnly, Secure, SameSite=Lax on all session cookies |
| Session timeout | Active sessions expire after 24 hours of inactivity |
| Concurrent sessions | Multiple concurrent sessions are permitted; each is independently revocable |
| Session revocation | Users can view and revoke all active sessions from Account Settings > Security > Active Sessions |
| Forced logout | Removing a member from a workspace immediately invalidates all their active sessions for that workspace |
CSRF Protection
All state-modifying requests (POST, PATCH, PUT, DELETE) through the web application require a valid CSRF token, implemented using the Synchronizer Token Pattern. CSRF tokens are:
- Generated per session on the server
- Embedded in every form and included in AJAX request headers via the application's front-end framework
- Validated server-side before any mutation is processed
API requests authenticated with Bearer tokens are exempt from CSRF token requirements, as the Authorization header cannot be set by cross-origin browser requests.
Audit Logs
CTFFactory maintains a comprehensive audit log of administrative and security-relevant actions within each workspace. Audit logs are available to Owners and Admins under Workspace Settings > Audit Log.
Logged events include, but are not limited to:
- Member invited, accepted invitation, removed
- Role changed for a member
- SSO configuration created, updated, or deleted
- SSO enforcement enabled or disabled
- Custom domain added, verified, or removed
- API key created or revoked
- Webhook registered, updated, or deleted
- CTF event deployed or stopped
- Workspace settings changed (name, branding, billing)
- MFA enforcement policy changed
- Audit log exported
Each log entry records the acting user's ID and display name, the action performed, a timestamp (UTC), the affected resource, and the source IP address. Audit logs are retained for 12 months and cannot be deleted or modified by any workspace member, including the Owner.
Audit logs can be exported as CSV or JSON from the settings page or via the API (GET /api/v1/audit-log, requires ctf:admin scope).
API Key Security
API keys are the primary credential for programmatic access. The following controls are applied:
- Keys are displayed in full only once at creation time; CTFFactory stores only a bcrypt hash
- Keys can be scoped to specific capabilities;
ctf:adminscope should be granted sparingly - Keys can be set to expire on a specific date
- All API key usage is logged and contributes to rate limit accounting
- Workspace Owners can revoke any key in the workspace at any time
- Compromised keys should be revoked immediately; there is no "pause" state
If you suspect a key has been compromised, revoke it immediately from Account Settings > API Keys or Workspace Settings > API Keys, then generate a replacement.
Encryption
| Layer | Standard |
|---|---|
| Data at rest | AES-256 (database and object storage) |
| Data in transit | TLS 1.2 minimum; TLS 1.3 preferred |
| Key management | Dedicated KMS within the Canadian hosting region |
| Password hashing | Argon2id |
| API key hashing | bcrypt |
| Open Badge signatures | Ed25519 |
Responsible Disclosure
CTFFactory operates a responsible disclosure program. If you discover a security vulnerability in the platform, please report it privately to:
[email protected]
Include a clear description of the vulnerability, steps to reproduce, and your assessment of the potential impact. We commit to:
- Acknowledging receipt within 2 business days
- Providing a status update within 7 business days
- Notifying you when the vulnerability is resolved
We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We will credit researchers in our security acknowledgements (with permission) upon disclosure.
Scope: In-scope targets include
app.ctffactory.io,api.ctffactory.io, and any infrastructure directly operated by CTFFactory. Deployed CTFd instances running on behalf of customers and third-party sub-processors are out of scope.