Validation Modes
Validation Modes provide layered security for session validation in Flowfull. Choose the right security level for your application's needs.
Overview
Flowfull supports 4 validation modes with increasing security levels:
| Mode | IP Check | User-Agent | Device ID | Use Case |
|---|---|---|---|---|
| DISABLED | ❌ | ❌ | ❌ | Development only |
| STANDARD | ✅ | ❌ | ❌ | Most applications |
| ADVANCED | ✅ | ✅ | ❌ | Enhanced security |
| STRICT | ✅ | ✅ | ✅ | Maximum security |
Mode Details
DISABLED Mode
Security: None
Performance: Fastest
Use Case: Local development only
typescript
// ⚠️ WARNING: Never use in production!
VALIDATION_MODE=DISABLEDWhat it does:
- ✅ Validates session exists
- ❌ No IP validation
- ❌ No User-Agent validation
- ❌ No Device ID validation
When to use:
- Local development
- Testing
- Debugging
⚠️ Never use DISABLED in production!
STANDARD Mode (Recommended)
Security: Good
Performance: Fast
Use Case: Most web applications
env
VALIDATION_MODE=STANDARDWhat it validates:
- ✅ Session exists and not expired
- ✅ IP address matches session
- ❌ User-Agent (allows browser updates)
- ❌ Device ID (allows multiple devices)
Benefits:
- Prevents session hijacking from different IPs
- Allows users to update browsers
- Allows users to use multiple devices
- Good balance of security and UX
Best for:
- Web applications
- Mobile apps
- SaaS platforms
- E-commerce sites
ADVANCED Mode
Security: High
Performance: Fast
Use Case: Sensitive applications
env
VALIDATION_MODE=ADVANCEDWhat it validates:
- ✅ Session exists and not expired
- ✅ IP address matches session
- ✅ User-Agent matches session
- ❌ Device ID (allows multiple devices)
Benefits:
- Prevents session hijacking
- Detects browser changes
- Still allows multiple devices
- Enhanced security
Best for:
- Financial applications
- Healthcare systems
- Admin dashboards
- Enterprise applications
Considerations:
- Users must re-login after browser updates
- May impact UX slightly
STRICT Mode
Security: Maximum
Performance: Fast
Use Case: Critical operations
env
VALIDATION_MODE=STRICTWhat it validates:
- ✅ Session exists and not expired
- ✅ IP address matches session
- ✅ User-Agent matches session
- ✅ Device ID matches session
Benefits:
- Maximum security
- One session per device
- Detects any changes
- Prevents all hijacking attempts
Best for:
- Banking applications
- Payment processing
- Sensitive data access
- Compliance requirements
Considerations:
- Users must re-login on new devices
- Users must re-login after browser updates
- May require device registration flow
Implementation
Configuration
Set in your .env file:
env
VALIDATION_MODE=STANDARDNode.js/TypeScript
typescript
import { BridgeValidator } from './lib/bridge';
const validator = new BridgeValidator({
flowlessUrl: process.env.FLOWLESS_URL,
bridgeSecret: process.env.BRIDGE_SECRET,
validationMode: process.env.VALIDATION_MODE || 'STANDARD'
});Go
go
validator := bridge.NewValidator(bridge.Config{
ValidationMode: os.Getenv("VALIDATION_MODE"),
})Python
python
validator = BridgeValidator(
validation_mode=os.getenv("VALIDATION_MODE", "STANDARD")
)Choosing the Right Mode
Decision Tree
Start
│
├─ Development/Testing? ──▶ DISABLED
│
├─ Standard web app? ──▶ STANDARD
│
├─ Sensitive data? ──▶ ADVANCED
│
└─ Banking/Payments? ──▶ STRICTRecommendations by Industry
| Industry | Recommended Mode | Reason |
|---|---|---|
| E-commerce | STANDARD | Balance of security and UX |
| SaaS | STANDARD | Multi-device support |
| Healthcare | ADVANCED | HIPAA compliance |
| Finance | STRICT | Maximum security |
| Education | STANDARD | User-friendly |
| Enterprise | ADVANCED | Enhanced security |
Security Considerations
IP Address Validation
Pros:
- Prevents session hijacking
- Detects location changes
- Simple to implement
Cons:
- Mobile users change IPs frequently
- VPN users may have issues
- Corporate proxies may rotate IPs
Solution: Use IP range validation for mobile/VPN users
User-Agent Validation
Pros:
- Detects browser changes
- Prevents cross-browser hijacking
- Low performance impact
Cons:
- Browser updates change User-Agent
- Users must re-login after updates
Solution: Implement graceful re-authentication
Device ID Validation
Pros:
- One session per device
- Maximum security
- Prevents device spoofing
Cons:
- Users must register devices
- Complex device management
- May impact UX
Solution: Implement device registration flow
Best Practices
✅ Do
- Start with STANDARD mode
- Upgrade to ADVANCED for sensitive data
- Use STRICT for financial operations
- Test mode changes thoroughly
- Document your choice
❌ Don't
- Use DISABLED in production
- Change modes without testing
- Use STRICT for all routes
- Ignore user feedback
Dynamic Validation
You can use different modes for different routes:
typescript
// Public routes - DISABLED
app.get('/api/public', optionalAuth('DISABLED'), handler);
// Standard routes - STANDARD
app.get('/api/profile', requireAuth('STANDARD'), handler);
// Sensitive routes - ADVANCED
app.get('/api/billing', requireAuth('ADVANCED'), handler);
// Critical routes - STRICT
app.post('/api/transfer', requireAuth('STRICT'), handler);Next Steps
- Bridge Validation - Learn how validation works
- Auth Middleware - Protect your routes
- HybridCache - Optimize performance
Need Help?
- 🌐 Notside.com - Professional Pubflow implementation
- 📧 Email: contact@notside.com