Network security
How Le Bureau secures connections with CSP headers, rate limiting, TLS, and WebSocket authentication.
Overview
Le Bureau applies multiple layers of network security. All connections are encrypted, all requests are validated, and all endpoints are protected against common web attacks.
Content Security Policy (CSP)
Le Bureau uses a nonce-based Content Security Policy to prevent cross-site scripting (XSS) attacks.
- Every page request generates a unique, cryptographic nonce.
- Only scripts that include this nonce are allowed to execute.
- The policy uses
strict-dynamic, which means trusted scripts can load additional scripts, but no inline code runs without the nonce. - Dynamic code evaluation (
eval) is blocked in production.
Even if an attacker manages to inject HTML into a page, they cannot execute arbitrary JavaScript.
Rate limiting
Rate limits protect against abuse:
| Endpoint Type | Limit | Window |
|---|---|---|
| General API requests | 120 requests | 1 minute |
| Failed API key auth | 10 attempts | 60 seconds per IP |
When you exceed the general rate limit, requests return HTTP 429 (Too Many Requests). Wait briefly and retry.
For API key authentication, after 10 failed attempts from the same IP address within 60 seconds, that IP is temporarily blocked. This prevents brute-force attacks against API keys.
TLS encryption
All traffic between your browser and Le Bureau is encrypted with TLS. This applies to:
- HTTPS -- all web pages and API requests
- WebSocket (WSS) -- terminal and VNC connections
- API calls -- every REST endpoint
There are no HTTP endpoints. All connections are upgraded to HTTPS.
Internally, connections between our own servers use scoped TLS configurations. This does not affect user-facing connections.
WebSocket security
The terminal and VNC viewer use WebSocket connections for real-time communication. Every WebSocket connection requires a valid session; unauthenticated connections are rejected immediately. All WebSocket traffic is encrypted via TLS (WSS). The server also verifies the origin header to prevent cross-site WebSocket hijacking.
VNC security
VNC connections to your desktop are proxied through our server, so your browser never connects directly to the VM. The VM's VNC port is not exposed to the internet. All VNC traffic passes through an authenticated, encrypted channel, and only the desktop owner can connect to their VM's display.
IP and host protection
Le Bureau does not expose internal IP addresses, server hostnames, or infrastructure details in HTTP responses. The X-Powered-By header is disabled. Error messages do not leak stack traces or internal paths.
Practical notes
- All your connections are encrypted. You do not need a VPN.
- Rate limits apply equally to all users. If you are building an integration, design it to handle 429 responses gracefully.
- CSP may block inline scripts if you are embedding Le Bureau content. Contact us if you have an integration use case that requires policy adjustments.