November was a security-focused month at Phase. We completed our external penetration test with Oneleet and remediated all findings, achieved SOC 2 Type II compliance, shipped Okta OIDC SSO, and hardened the platform across the board. Here's a full recap.
Okta OIDC SSO
Phase now supports Okta as an identity provider via OpenID Connect. Enterprise teams can integrate Phase with their existing Okta identity management, enabling centralized authentication and access control.
Once configured, team members can log into Phase using their Okta credentials, with automatic user provisioning based on OIDC claims. Standard Okta user attributes (name, email) are synced to Phase accounts.
Check out the Okta OIDC setup guide for instructions on configuring the integration.
Available in Console v2.55.0.
SOC 2 Type II Compliance
Phase completed its SOC 2 Type II audit, achieving full compliance. This marks a significant milestone for the platform, validating our security controls, operational processes, and data protection practices.
We wrote about the journey in a blog post: Speedrunning a SOC 2 Type II Audit. SOC 2 badges have been added to the Phase website and documentation.
External Penetration Test — Full Remediation
We commissioned an external penetration test through Oneleet on the Phase platform. All findings were identified and remediated within the same month. Here's a summary of what was found and fixed:
Note: Due to Phase's end-to-end encryption architecture, none of these vulnerabilities could have been used to access the plaintext content of user secrets. These fixes are part of our defense-in-depth approach — hardening every layer regardless of the cryptographic guarantees already in place.
Critical & High:
- IDOR in BulkProcessSecrets — Fixed an insecure direct object reference that could allow unauthorized access to secrets across environments through the bulk secret processing endpoint
- Privilege escalation via user invites — Fixed an access control issue where a user could invite new members with permissions higher than their own
- Privilege escalation via self-role update — Fixed a vulnerability allowing users to elevate their own role through profile update mutations
Medium:
- GraphQL Alias Overloading DoS — Implemented custom Graphene validation rules to prevent resource exhaustion through alias overloading
- GraphQL Field Duplication DoS — Added pre-execution validation to block field duplication attacks
Low:
- Weak cipher suites — Removed outdated TLS cipher suites from the server configuration
- Server header information disclosure — Removed server version information from HTTP response headers
Self-hosting nginx improvements — Updated the recommended nginx configuration for self-hosted deployments with improved security headers and proxy settings. The Phase backend now references the X_REAL_IP HTTP header for client IP detection. Check the docs for the updated configuration.
Security fixes are available in Console v2.54.1 and v2.54.2.
Secret Editor Performance
Fixed performance issues in the secret editor that caused noticeable lag when working with large environments. The editor now handles bulk operations and rendering much more efficiently.
Available in Console v2.54.2.
Network Access Policy Improvements
Fixed an issue in Network Access Policies where IP detection could be bypassed via the X-FORWARDED-FOR header. The system now uses REMOTE_ADDR for reliable client IP detection and properly handles dual-stack IPv4/IPv6 scenarios.
Other improvements
- Database performance — Added indexes for the
SecretEventmodel and optimized log count calculations for large querysets - Improved self-hosting docs — Updated Docker Compose self-hosting documentation with clearer setup instructions
- Security patches — Updated Django to 4.2.25 (critical SQL injection fix), Next.js to 14.2.32, and other dependency updates
- Token activity tracking — Added "last used" tracking for service account tokens with detailed log information in a modal
- Terms of Service update — Added name and logo usage terms to the website ToS
All features are live on Phase Cloud and available in the latest releases for self-hosted users.
As always, we'd love your feedback — come say hi on Slack or GitHub.