Skip to content

Security overview

Hyperterse is designed with security as a baseline. This section covers the security model and best practices for production deployments.

Security features

Section titled “Security features”
FeatureDescription
Credential ProtectionConnection strings never exposed in API responses
Input ValidationAll inputs validated and typed before execution
SQL Injection PreventionTemplate substitution with proper escaping
Error SanitizationInternal errors never leaked to clients
Declarative AccessOnly defined queries can be executed

How it works

Section titled “How it works”
┌────────────────┐              ┌─────────────────────┐
│     Client     │              │     Hyperterse      │
│  (REST/MCP)    │───Request───▶│                     │
│                │              │  ┌───────────────┐  │
│ Cannot access: │              │  │ Input         │  │
│ - SQL queries  │              │  │ Validation    │  │
│ - Credentials  │              │  └───────┬───────┘  │
│ - Schema       │              │          │          │
└────────────────┘              │  ┌───────▼───────┐  │
                                │  │ Query         │  │
                                │  │ Execution     │  │
                                │  └───────────────┘  │
                                │                     │
                                │  Connection strings │
                                │  never leave here   │
                                └─────────────────────┘

Security guides

Section titled “Security guides”

Connection security

Protect credentials and database connections.

Production hardening

Best practices for production deployments.

What’s protected

Section titled “What’s protected”

Connection strings

Section titled “Connection strings”

Connection strings are stored in the Hyperterse configuration and never exposed:

  • Not in API responses
  • Not in OpenAPI documentation
  • Not in MCP tool descriptions
  • Not in error messages
  • Not in generated llms.txt

SQL statements

Section titled “SQL statements”

Raw SQL is also protected:

  • Clients call named queries, not SQL
  • Query statements are not exposed in API responses
  • Only validated inputs are substituted

Schema information

Section titled “Schema information”

Database schema stays hidden:

  • Table names not exposed
  • Column names only visible if returned in results
  • Database errors are wrapped

What clients can see

Section titled “What clients can see”

Clients can access:

  • Query names and descriptions
  • Input parameter names, types, and descriptions
  • Output field names (if defined in data section)
  • Query results

Limitations

Section titled “Limitations”

Hyperterse provides application-layer security. You still need:

  • Network security — Firewalls, VPCs, etc.
  • Authentication — User identity verification
  • Authorization — Access control per user/role
  • Rate limiting — Request throttling
  • TLS/SSL — Transport encryption

For production, place Hyperterse behind a reverse proxy that handles these concerns.