Security isn't an afterthought. It's the foundation.
Every application on Frameworx ships with security best practices enforced by default, continuous vulnerability scanning, and a structured path from detection to remediation. No configuration required to get started.
Strong security defaults. Zero configuration required.
Every app on Frameworx ships with a hardened security baseline. These controls aren't optional extras — they're enforced from the moment your application goes live. You can adjust them, but you can't accidentally leave them off.
We believe that security shouldn't depend on your team remembering to configure it correctly. Frameworx applies the principle of least privilege across every layer: accounts start with minimal permissions, features require explicit opt-in, and every privileged action is logged before it executes.
- MFA enforced for all users — cannot be disabled globally
- Rate limiting on all authentication endpoints
- Brute-force protection with automatic account lockout
- Session timeout with server-side session management
- Secure HTTP headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
- TLS 1.3 enforced — older protocols not accepted
- Data encrypted in transit and at rest by default
- All privileged actions logged before and after execution
Role-based access control with MFA and session management
Frameworx enforces fine-grained access control across every platform surface. Who can do what is explicit, auditable, and configurable.
Multi-Factor Authentication
TOTP-based MFA is required for all users. Backup codes are generated at enrollment. Administrators can enforce MFA re-verification before sensitive actions like billing changes or bulk user operations.
Role-Based Access Control
Roles are defined at the tenant level and scoped per application. The principle of least privilege applies: users start with no permissions and are granted only what their role requires. Role changes are logged.
Session Management
Sessions are stored server-side with configurable timeout windows. Users can be globally signed out by administrators. Sessions are invalidated immediately on password change or MFA re-enrollment.
Automated CVE detection with a structured findings workflow
Frameworx continuously monitors your application's dependencies, containers, and infrastructure for known vulnerabilities. New CVEs are matched against your installed packages in real time. Every finding is classified and tracked through to resolution.
- Continuous matching against CVE databases across major package ecosystems
- Container image and base OS scanning for installed package vulnerabilities
- Severity classification: low, medium, high, critical
- Findings dashboard with filter, sort, and bulk actions
- Each finding links to CVE details, affected component, and remediation options
- Finding status tracked: open, acknowledged, in remediation, resolved
- Historical findings retained for trend analysis and audit purposes
Controlled patch management with risk classification
Unpatched systems are the most common vector for exploits. Frameworx scans your app's runtime environment for available OS and package updates on your configured schedule, classifies each update's risk, and provides a controlled workflow for review and application.
Automated Scan
Scans detect all available OS and package updates on your configured schedule or on demand. Results are grouped by package and sorted by risk severity.
Risk Classification
Each update is classified as low, medium, high, or critical based on associated CVE data, package change notes, and dependency impact analysis.
Review & Approval
You or the Frameworx team (on managed plans) review the proposed updates. Approve selected packages, reject others, or defer for later review.
Controlled Application
Approved updates are applied through a controlled rollout. Post-apply health checks confirm stability. Rollback is available if checks fail.
SQL Injection Risk: User-supplied input passed directly to query builder without parameterization. An attacker could inject arbitrary SQL through the username field.
// Replace:
db.query(`SELECT * FROM users WHERE username='${input}'`)
// With:
db.query('SELECT * FROM users WHERE username=?', [input])AI-assisted code analysis that goes beyond pattern matching
Frameworx uses Claude to analyze your application code for security vulnerabilities, logic flaws, and insecure configurations. Unlike traditional static analysis tools that match patterns, Claude understands the intent of your code and the data flows between components.
- Deep semantic analysis — understands logic, not just syntax
- Identifies injection flaws, auth bypass, and privilege escalation paths
- Detects insecure configuration and exposed credentials
- Finds logic errors that create exploitable conditions in multi-step flows
- Plain-language explanations of each finding and its impact
- Specific, actionable fix suggestions with code examples
- Optional auto-remediation with approval workflow — you always approve first
- Scheduled scans or triggered on deployment events
Every fix goes through an approval gate
No action is taken on your application without explicit approval. Frameworx generates structured remediation plans and presents them for review. You decide what gets applied — or let the Frameworx team decide on your behalf.
Finding Generated
A scan or AI review produces a classified security finding with severity, affected component, and CVE reference where applicable.
Plan Created
An AI-generated remediation plan is attached to the finding. The plan describes the fix, its risk level, expected outcome, and any dependencies.
Approval Required
The plan waits for explicit approval. On Managed Copilot plans, the Frameworx team reviews it. On Self-Managed plans, your admin team approves.
Applied & Verified
The approved fix is applied. Post-remediation health checks confirm stability. The action and outcome are recorded in the audit trail.
Complete Audit Trail
Every action across the Frameworx platform is logged: who initiated it, when it occurred, from which IP address, what was changed, and what the result was. The audit trail is append-only and cannot be modified after the fact.
- All admin and user actions captured, including read access to sensitive resources
- Approval and rejection events recorded with actor identity
- IP address and user agent logged for every authenticated request
- Remediation execution logs with before/after state
- Audit log exportable for external review or compliance purposes
Security Visibility Dashboard
The Frameworx security dashboard gives you a consolidated view of your application's security posture — open findings, pending updates, recent remediation activity, and current security policy configuration — all in one place.
- Open vulnerability findings by severity, sorted by age and risk
- Pending OS and package updates with risk classification
- Recent Claude Code scan results and finding counts
- Active security policies and any deviations from baseline
- Timeline view of all security events for the current period
Secure custom domains with automatic SSL
When you bring a custom domain to Frameworx, we provision and manage the full TLS certificate lifecycle. Your domain is never left with an expired or improperly configured certificate.
ACME SSL via Let's Encrypt
Certificates are provisioned automatically through the ACME protocol. No manual CSR generation or annual renewal fees. Certificates are renewed before expiry without intervention.
TLS 1.3 Enforced
All custom domain endpoints enforce TLS 1.3 as the minimum version. Older cipher suites are not accepted. HSTS headers ensure browsers remember the HTTPS policy.
NPM Proxy Routing
Traffic is routed through Nginx Proxy Manager, which applies security headers, handles SSL termination, and enforces HTTP-to-HTTPS redirects for all custom domains.