ProductFeaturesDocs
Built InUI ComponentsAdmin ConsoleDatabaseBackendStorageAIRAGAuthSecurity
CompanyStoryAboutPricingBlogRoadmap
Install FLIN
Security-first architecture

Built Secure by Default

FLIN is a single Rust binary with zero external dependencies. No node_modules/, no supply chain attacks, no dependency confusion. Every security feature is compiled in — not bolted on.

Defense in Depth

Six layers of security, all built into the language. No packages to install, no middleware to configure.

Route Guards

Declarative pre-route authorization: auth, role, csrf, rate_limit, and ip_whitelist. Guards execute before handlers — failed checks return 403 automatically.

Rate Limiting

Per-key, per-IP, and per-user rate limiting with sliding window tracking. Built into the runtime — no Redis, no external rate limiter, no reverse proxy configuration.

CSRF Protection

Automatic token generation and constant-time verification. Add csrf: required to any route guard and FLIN handles the rest — token injection, header validation, timing-safe comparison.

Cryptography

Native functions for bcrypt_hash(), aes_encrypt(), jwt_encode(), hmac(), sha256(), md5(), and totp_secret(). Production-grade crypto without external libraries.

Security Headers

Built-in functions for Content Security Policy, CORS, HSTS, cache control, X-Frame-Options, and X-Content-Type-Options. Set them in middleware or per-route.

Middleware System

File-based middleware with path matchers and excludes. Runs before every matched route — perfect for auth checks, logging, header injection, and request transformation.

Guards and Middleware

Protect routes declaratively. No middleware spaghetti, no app.use() chains. Guards are part of the route definition.

app/api/users.flin
// Route guards — declarative, composable, built in
route POST /api/users {
    guards { auth: required, csrf: required }
    validate {
        email: text @required @email
        name: text @required @minLength(2)
        password: text @required @minLength(8)
    }
    user = User {
        email: body.email,
        name: body.name,
        password: bcrypt_hash(body.password)
    }
    save user
    response.created(user)
}
app/_middleware.flin
// File-based middleware — one file protects all matched routes
middleware {
    matcher: ["/dashboard/**", "/settings", "/api/**"]
    exclude: ["/", "/login", "/register", "/api/health"]

    if session.user == none {
        redirect("/login")
    }
    next()

    // Post-handler: runs AFTER route
    set_header("X-Powered-By", "FLIN")
}

Production-Grade Cryptography

Native functions for every common security operation. No npm install crypto-js. No pip install cryptography. Just call the function.

Built-in Crypto Functions
// Password hashing — bcrypt with auto salt
hash = bcrypt_hash("user_password")
valid = bcrypt_verify("user_password", hash)

// AES-256-GCM encryption
encrypted = aes_encrypt(data, secret_key)
decrypted = aes_decrypt(encrypted, secret_key)

// JWT tokens
token = jwt_encode(payload, secret, 86400)
claims = jwt_decode(token, secret)

// HMAC and hashing
signature = hmac(data, key, "sha256")
digest = sha256(data)

// TOTP two-factor authentication
secret = totp_secret()
valid = totp_verify(secret, code)

// Unique identifiers
id = uuid()

bcrypt

Deliberately slow hashing algorithm. Resistant to brute-force and rainbow table attacks. Auto-salted on every call.

AES-256-GCM

Military-grade authenticated encryption. Encrypts and authenticates data in a single operation. Tamper detection built in.

JWT

Token-based authentication with configurable expiry and custom claims. Encode, decode, and verify — all native functions.

Crash-Safe Data Storage

FlinDB is designed so your data survives crashes, power failures, and unexpected shutdowns. Every write is journaled, checksummed, and recoverable.

Write-Ahead Log

Every mutation is written to a WAL before being applied. If the process crashes mid-write, the WAL replays on next startup to restore consistency. Zero data loss.

CRC-32 Checksums

Every WAL entry is checksummed to detect corruption on read. Bit flips, partial writes, and storage errors are caught before they propagate.

File Locking

Exclusive file locks prevent concurrent access corruption across processes. Only one instance can write to the database at a time.

Auto-Checkpointing

FlinDB compacts the WAL into per-entity data files after configurable thresholds (default: 50 entries or 512 KB). Keeps the WAL lean and recovery fast.

Automatic Backups

Timestamped backups on every checkpoint — max one per hour, retaining the 5 most recent. Export and restore from the admin console.

Per-Entity Files

Each entity type gets its own .flindb file under .flindb/data/. Targeted recovery, efficient I/O, and simple backups.

Admin Console Security

Every FLIN app ships with an admin console at /_flin. Access is protected by multiple layers — no default credentials ship in production.

Setup Wizard

On first access, a guided setup creates the admin account with a strong password requirement. Email + password, optional 2FA — complete in 3 steps.

Session Tokens

64-character hex tokens stored server-side with 24-hour expiry. Not cookie-based — cryptographically generated via secure random.

Two-Factor Auth

Enable 2FA via email OTP or WhatsApp OTP during setup or in security settings. 6-digit codes with 10-minute expiry.

Request Validation

43 declarative validators enforce constraints at the framework level. Invalid requests never reach your business logic.

Validation Decorators
validate {
    email: text @required @email
    name: text @required @minLength(2) @maxLength(100)
    age: int @min(0) @max(150)
    role: text @one_of("user", "admin", "moderator")
    avatar: file @max_size("5MB") @extension(".jpg", ".png")
    website: text @url
    password: text @required @minLength(8)
}

Zero Dependency Supply Chain

FLIN is distributed as a single Rust binary. The entire runtime — server, database, template engine, components, icons, and admin console — is compiled into one executable.

No Supply Chain Attacks

No npm install, no pip install, no node_modules/. There are zero third-party packages to compromise at install time.

Minimal Attack Surface

No JavaScript runtime, no Python interpreter, no dynamically loaded plugins. One binary, one process, one attack surface to audit.

Reproducible Builds

Same source, same binary. No transitive dependency surprises. No phantom package updates breaking production at 3 AM.

Simple Auditing

One binary to verify — not 1,847 packages in a dependency tree. Security audits are measured in hours, not weeks.

Reporting Vulnerabilities

We take security seriously. If you discover a vulnerability, we want to hear about it.

Report security vulnerabilities by emailing [email protected]. We respond to all reports within 48 hours.

Please include a description of the vulnerability, steps to reproduce it, and relevant environment details (OS, FLIN version, configuration).

Responsible Disclosure

  • We acknowledge receipt within 48 hours.
  • We investigate and provide a timeline for a fix.
  • We release a patched version and notify affected users.
  • We credit the reporter (unless they prefer to remain anonymous).

We ask that reporters avoid public disclosure until a fix is available. We are committed to working with the security community to keep FLIN safe for everyone.

Secure by Default. Secure by Design.

No dependencies to patch. No middleware to configure. No security plugins to install. Just write .flin files and ship with confidence.

Authentication Documentation