Security Model

Local HTTPS (TLS 1.3)

When using the --https flag, Beam generates self-signed certificates and serves your local traffic over TLS 1.3:

• Key Exchange: ECDHE with X25519 curve
• Encryption: AES-256-GCM authenticated encryption
• Forward Secrecy: New keys for each session; past traffic can't be decrypted

Tor Encryption (3 Layers)

When using Tor mode, traffic is encrypted in three layers, one for each relay:

• Onion Routing: Each relay decrypts one layer, revealing only the next hop
• Hidden Service Keys: Ed25519 for service identity, Curve25519 for sessions
• Circuit Encryption: AES-CTR with fresh keys for each circuit

Hidden Service Keys

Your .onion address is derived from an Ed25519 public key. These keys are:

• Generated locally on first run using a cryptographically secure random number generator
• Stored in ~/.beam/keys/ with filesystem permissions (600)
• Never transmitted over the network except as part of the Tor protocol
• Reused across sessions so you keep the same .onion address

Session Keys

For each tunnel session and connection:

• Ephemeral keys are generated using Diffie-Hellman key exchange
• Keys exist only in memory and are never persisted to disk
• Tor circuits are rebuilt periodically (every ~10 minutes) with new keys
• Compromise of session keys doesn't affect past traffic (forward secrecy)

TLS Certificates

For local HTTPS, Beam generates self-signed certificates:

• Created on-demand for each domain you configure
• Stored in ~/.beam/certs/
• Valid for 1 year; regenerated automatically when expired
• Your browser will show a warning since they're not CA-signed (expected for development)

No Data Collection

• No analytics, telemetry, or usage tracking of any kind
• No request logging—Beam doesn't store what URLs you access
• No IP address collection—your location is never recorded
• No "phone home" behavior—Beam doesn't contact any servers except for npm updates

IP Anonymization (Tor Mode)

• Your real IP is hidden from clients connecting to your tunnel
• Client IPs are hidden from you (mutual anonymity)
• Network observers see only encrypted Tor traffic, not the content
• Even Tor relays can't see both source and destination

Local-First Design

• All processing happens on your machine
• Configuration stored locally in ~/.beam/
• No cloud accounts, subscriptions, or external dependencies
• Works completely offline in local-only mode

Protected Threats

• Network eavesdropping: Encrypted traffic can't be read by ISPs, network admins, or attackers on the same WiFi
• Man-in-the-middle attacks: TLS and Tor cryptography prevent traffic interception and modification
• IP address exposure: Tor mode hides your real IP from clients and observers
• Traffic analysis: Tor's multi-hop routing makes it hard to correlate traffic patterns
• Vendor surveillance: No central service sees your traffic or collects your data
• Service disruption: No central point of failure; tunnels work as long as Tor does

Partial Protection

• Timing attacks: Tor provides some protection against traffic timing analysis, but sophisticated adversaries with global network visibility may still correlate traffic patterns.
• Application vulnerabilities: Beam secures the transport layer. If your application has security bugs (XSS, SQL injection, etc.), Beam doesn't protect against those.

Not Protected

• Endpoint compromise: If your development machine is compromised by malware, encryption won't help—the attacker has access before encryption happens.
• Social engineering: If you share your .onion URL publicly or with untrusted parties, they can access your tunnel. Treat .onion URLs like passwords.
• Nation-state adversaries: Highly resourced adversaries with extensive surveillance capabilities may be able to deanonymize Tor users through advanced techniques. For most development use cases, this is not a realistic threat.