Security

Security on Container Duck is structural, not bolted on. Isolation is enforced at every layer — network, data, and access.

Authentication

Every request to every app goes through authentication. There are no public endpoints by default.

• Automatic login — Sign in once, access all apps in your project seamlessly
• Cross-app SSO — Single sign-on across all apps within a project
• Scoped sessions — Your session is scoped to your platform domain for safety

Network isolation

• Project isolation — Traffic between projects is blocked by default
• Default deny — Only explicitly allowed traffic flows between apps
• TLS everywhere — All traffic between your browser and your apps is encrypted

Data isolation

• Dedicated databases — Each project gets its own PostgreSQL database, not a shared database with row-level filtering
• Dedicated storage — Each project gets its own private storage
• Continuous backups — Database backups run continuously with 7-day retention

Infrastructure

• Your infrastructure — Container Duck runs on your servers. Your data never leaves your machines.
• Open source — Every component is open source and auditable. No proprietary black boxes.
• No vendor lock-in — Standard databases, standard storage, standard containers. Take your data and leave anytime.