Security is not a feature — it's the foundation
Every layer of meshr is designed with security first. Here's how we protect your infrastructure.
Defense in Depth
Certificate-based auth, short-lived tokens, mTLS
Every connection evaluated against ZTNA rules
All traffic encrypted with modern cryptography
Every action logged, SSH sessions recorded
Peer-to-peer with relay fallback, NAT traversal
How we keep you secure
Encryption
- End-to-end encrypted tunnels using modern cryptographic primitives
- All data encrypted at rest (AES-256 for recordings)
- mTLS for agent-to-controlplane communication
- Passwords hashed with bcrypt, tokens with SHA-256
Certificate Authority
- Per-organization SSH User CA and Host CA (Ed25519)
- Short-lived certificates: 12h user, 30d host
- No static SSH keys — certificates are automatically rotated
- Certificate revocation with instant effect
Zero Trust Access
- Every connection evaluated against policies in real-time
- Source/destination group-based rules with direction control
- Protocol and port filtering (ingress/egress/bidirectional)
- JIT privilege elevation with admin approval workflow
Audit & Compliance
- Full audit trail for every login, policy change, and connection
- SSH session recording with encrypted asciicast v2 format
- HMAC-signed playback URLs (no tokens in URLs)
- Failed login tracking with rate limiting and account lockout
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Report vulnerabilities to:
[email protected]We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours. We will not take legal action against researchers who follow responsible disclosure practices.
Sign up now — free during beta
Every feature is unlocked while we're in beta. Connect your first peers in under five minutes. No credit card, no commitments.