Skip to content
Hexon

Standards Reference

Hexon relies on a wide range of security and networking protocols that form the foundation of modern identity, access, and infrastructure security. Each subsystem references the relevant standards — including RFCs, IETF drafts, FIPS publications, and widely adopted industry specifications.

Where relevant, we document specific implementation choices. This helps make system behavior predictable during interoperability testing, security reviews, and architecture audits.

OAuth 2.0 / OpenID Connect

RFCTitleUsage
RFC 6749OAuth 2.0 Authorization FrameworkAuthorization code, client credentials, refresh token grants
RFC 6750Bearer Token UsageAuthorization: Bearer extraction across proxy, SCIM, and API
RFC 7009Token RevocationAlways returns 200 for privacy regardless of token validity
RFC 7517JSON Web Key (JWK)JWKS endpoint, key structure for OIDC discovery
RFC 7518JSON Web Algorithms (JWA)ECDSA coordinate encoding, exponent encoding for thumbprint
RFC 7519JSON Web Token (JWT)ID token structure and validation
RFC 7523JWT Bearer AssertionMachine-to-machine grant type with certificate-based authentication
RFC 7591Dynamic Client RegistrationStateless DCR — no account database required
RFC 7636PKCES256 method, 43–128 character code verifier
RFC 7638JWK ThumbprintKey ID derivation for DPoP, SPIFFE, and ACME accounts
RFC 7662Token IntrospectionClient-authenticated introspection endpoint
RFC 8176Authentication Method ReferenceAMR values in ID tokens: pwd, otp, hwk, x509
RFC 8252OAuth for Native AppsLoopback redirect URIs always allowed (§7.3)
RFC 8414Authorization Server Metadata/.well-known/openid-configuration discovery
RFC 8628Device Authorization GrantBastion SSH, MCP, CLI tools — BASE20 user codes
RFC 8693Token ExchangeActor (act) claim in delegated JWT
RFC 8705mTLS Certificate-Bound TokensFour SAN matching methods: URI, DNS, email, Subject DN
RFC 9126Pushed Authorization Requests (PAR)Parameters sent server-side, never exposed in browser URLs
RFC 9449DPoPProof-of-possession with server-issued nonce and distributed JTI replay prevention
RFC 9728OAuth Protected Resource MetadataMCP server auto-discovery via /.well-known/oauth-protected-resource

SCIM

RFCTitleUsage
RFC 7643SCIM 2.0 Core SchemaUser and group schema, attribute types
RFC 7644SCIM 2.0 ProtocolCRUD, filtering, sorting, path expressions, bulk operations

Certificates / PKI / ACME

RFCTitleUsage
RFC 5280X.509 PKICertificate structure, CRL format, revocation reason codes, OtherName SAN
RFC 5019OCSP Lightweight ProfileGET with base64url-encoded request in URL path
RFC 6960OCSPCertificate status: Good, Revoked, Unknown
RFC 7515JSON Web Signature (JWS)ACME POST request signing
RFC 8555ACMEFull protocol: directory, nonce, account, order, authorize, finalize, certificate
RFC 8659CAACertificate Authority Authorization with domain tree walk-up
RFC 8738ACME IP Certificatesip identifier type with http-01 and tls-alpn-01 for IP addresses
RFC 8739ACME Renewal Information (ARI)Optimal renewal window computation
RFC 4648Base EncodingsBase64url for ACME tokens, TOTP secrets, ARI certificate IDs

SPIFFE / Workload Identity

StandardDescription
SPIFFEWorkload identity framework — SVIDs with URI SAN, AllowedPeers OID
RFC 7638JWK Thumbprint — workload authentication via pre-registered public key
RFC 5280X.509 — SVID certificate structure with spiffe:// URI SAN
RFC 8555ACME — SPIFFE profile reuses ACME protocol for SVID issuance

QUIC / HTTP/3

RFCTitleUsage
RFC 9000QUIC v1Transport protocol — connection IDs, variable-length integers, transport parameters
RFC 9369QUIC v2Updated Initial salt and HKDF labels
RFC 9001QUIC-TLSInitial packet encryption, key derivation from Destination CID
RFC 9114HTTP/3CONNECT for TCP proxying, 421 retry, request handling
RFC 9204QPACKHeader compression error codes
RFC 9218HTTP Extensible PrioritiesPriority header with urgency and incremental for HTTP/3
RFC 9221QUIC DatagramsUnreliable delivery for UDP relay and real-time streams
RFC 9297HTTP DatagramsQUIC DATAGRAM frames used by MASQUE
RFC 9298CONNECT-UDP / MASQUEUDP proxying over HTTP/3 for browser-native access

HTTP / Reverse Proxy

RFCTitleUsage
RFC 7230HTTP/1.1 Message SyntaxHeader token character validation
RFC 7231HTTP/1.1 SemanticsContent-Type, Retry-After, Accept-Language, safe methods for 0-RTT
RFC 7540HTTP/2PRIORITY frames, SETTINGS parameters
RFC 9113HTTP/2 (revised)SETTINGS defaults used in JA4H fingerprinting
RFC 9239text/javascriptOfficial MIME type registration
RFC 8288Web LinkingLink header preload/prefetch/canonical passthrough
RFC 8446TLS 1.30-RTT replay protection, HKDF-Expand-Label, PSK-DHE
draft-ietf-tls-esni-18Encrypted Client Hello (ECH)SNI privacy — opt-in server-side ECH with DHKEM(X25519), HKDF-SHA256, AES-128-GCM
RFC 5246TLS 1.2Record max size enforcement in fingerprint storage
RFC 6455The WebSocket ProtocolConnection upgrade, framing, masking — underlying transport for E2OE encrypted messages
RFC 9220Extended CONNECT for HTTP/2 and HTTP/3WebSocket over HTTP/2 and QUIC via Extended CONNECT
RFC 7413TCP Fast OpenLatency optimization for repeat clients
RFC 6265CookiesCase-insensitive domain rewriting for cross-subdomain SSO
RFC 8701GREASEFiltered during TLS fingerprinting to avoid false differentiation
RFC 8878Zstandard CompressionResponse compression negotiation via Accept-Encoding — decompress, rewrite, re-compress
Speculation RulesSpeculation Rules APIBrowser-side speculative prefetch/prerender injection via HTML <script type="speculationrules">
PROXY protocolHAProxy PROXY protocol v1/v2Client IP preservation to backends

Forward Proxy / MASQUE

RFCTitleUsage
RFC 9298CONNECT-UDP / MASQUEUDP proxying over HTTP/3
RFC 9114HTTP/3 CONNECTTCP tunneling in forward proxy
RFC 8441WebSocket over HTTP/2Extended CONNECT enabling WebSocket tunneling over HTTP/2
RFC 9484CONNECT-IPFull IP tunnel (planned)
RFC 3986URI SyntaxPAC file generation

SSH Bastion

RFCTitleUsage
RFC 4254SSH Connection ProtocolChannel types, session channels
RFC 4252SSH Authentication ProtocolAuthentication methods
RFC 8628Device Authorization GrantBastion auth with QR codes for headless environments
asciinema v2Asciicast formatSession recording — served as application/x-asciicast

LDAP / Directory

RFCTitleUsage
RFC 4510LDAP Technical SpecificationCore LDAP protocol for directory sync
RFC 4533LDAP Content SynchronizationSyncRepl — real-time directory sync with OpenLDAP
RFC 3339Date and Time on the InternetTimestamp formatting for delta sync change detection

Authentication Methods

RFC / StandardTitleUsage
RFC 6238TOTPSHA1/SHA256/SHA512 with configurable time step
RFC 4226HOTPUnderlying algorithm for TOTP with dynamic truncation
WebAuthnWeb AuthenticationPasskey registration and authentication — FIDO2, attestation, CBOR
RFC 8152COSEWebAuthn public key encoding and parsing
RFC 3244Kerberos kpasswdPassword change for Kerberos-authenticated users
RFC 5705TLS Exported Keying MaterialChannel-bound authentication for connector and client tunnels

End-to-Origin Encryption (E2OE)

RFC / StandardTitleUsage
FIPS 186-4ECDSA / ECDH P-256Ephemeral key exchange between browser and server
RFC 5869HKDF-SHA256Channel key derivation from ECDH shared secret — salt: sessionID:channelID, info: hexon-e2oe-v1
NIST SP 800-38DAES-256-GCMPayload encryption with per-message random nonce and AAD binding (seq + channelID)
WebAuthnWeb AuthenticationTier 1 channel binding — ECDH public key commitment embedded in WebAuthn challenge, hardware-attested
RFC 2104HMAC-SHA256Session rebind proof — persists Tier 1 across page loads without re-authentication
WebCryptoWeb Cryptography APIBrowser-side ECDH, AES-GCM — no JS crypto libraries, native API only
RFC 6454The Web Origin ConceptOrigin validation for E2OE channel binding and CORS
RFC 6455WebSocket ProtocolPer-message AES-256-GCM encryption with sequence counters for WebSocket E2OE

RADIUS

RFCTitleUsage
RFC 2865RADIUSCore protocol, Access-Challenge, Service-Type, Reply-Message
RFC 2866RADIUS AccountingSession accounting — start, stop, interim updates
RFC 2868RADIUS Tunnel AttributesTunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID
RFC 6614RADSECRADIUS over TLS (port 2083)

DNS

RFCTitleUsage
RFC 1034DNS ConceptsCNAME flattening, max depth 16
RFC 1035DNS ImplementationA, SOA, CNAME, PTR, MX, TXT — label max 63, total 253 chars
RFC 3596AAAA RecordsIPv6 DNS resolution
RFC 2782SRV RecordsService discovery
RFC 4033DNSSEC IntroductionDNS Security Extensions — threat model and overview
RFC 4034DNSSECDNSKEY, DS, RRSIG, NSEC records
RFC 5155NSEC3Hashed denial of existence
RFC 6672DNAME RecordsDomain aliasing
RFC 6698DANE / TLSATLS certificate pinning via DNS
RFC 7671DANE UpdatesTLSA usage and validation refinements
RFC 7858DNS-over-TLSUpstream DoT on port 853
RFC 9460HTTPS / SVCB RecordsService binding records
RFC 7208SPFTXT-based SPF records
RFC 6761Special-Use Domain Names.local, .internal handling
RFC 8767Serving Stale DataStale DNS responses during upstream failure — compliant cache behavior
RFC 5358DNS Amplification PreventionRate-limited REFUSED responses to prevent reflection attacks
RFC 8914Extended DNS ErrorsPolicy-denied error codes

Email / SMTP

RFCTitleUsage
RFC 5321SMTPEmail delivery, address max length (320 chars)
RFC 5322Internet Message FormatEmail address validation
RFC 8255Multipart/MultilingualMulti-language email notifications

Cryptography

StandardDescription
RFC 8446TLS 1.3 — HKDF-Expand-Label, key derivation, 0-RTT, PSK-DHE
RFC 7748X25519 / X448 — Curve25519 ECDH with low-order point rejection
RFC 8032Ed25519 — cluster identity signing, header signing, pre-key verification
RFC 5869HKDF-SHA256 — key derivation for cluster keys, signing keys, X3DH
RFC 9591FROST — threshold EdDSA for internal OIDC token signing and SSH certificate signing (Ed25519)
FIPS 186-4ECDSA — P-256/P-384/P-521 for threshold ECDSA signing and external OIDC token signing (GG18 DKG)
FIPS 186-5ECDSA key generation — bias bound verification
FIPS 140-2Compatible cipher suite selection
FIPS 203ML-KEM-768 — hybrid post-quantum key exchange with X25519
X3DHExtended Triple Diffie-Hellman — forward secrecy for hexdcall control plane

Protection / WAF

StandardDescription
OWASP CRSCore Rule Set — paranoia levels 1–4, tag-based disabling
JA4TLS fingerprinting — rate limiting, session affinity, WAF detection

Connector

RFCTitleUsage
RFC 5705TLS Exported Keying MaterialChannel-bound authentication — binds tunnel to TLS session
RFC 9000QUICTransport layer for all connector tunnels
RFC 8628Device Authorization GrantConnector authentication flow

Networking

RFCTitleUsage
RFC 1918Private IPv4SSRF validation, proxy ACL
RFC 4193Unique Local IPv6fc00::/7 range handling
RFC 6598Carrier-Grade NATDefault configurable pools
RFC 4291IPv6 AddressingIPv4-in-IPv6 extraction
RFC 1123Hostname ValidationHostname regex in firewall and SPIFFE config
RFC 1928SOCKS5SOCKS5 proxy support in hexonclient

Compliance Frameworks

StandardDescription
NIST SP 800-53Security and Privacy Controls — compliance framework mapping for audit telemetry
NIST SP 800-63BDigital Identity — authentication assurance levels (AAL), password recommendations

Hexon Specifications

SpecificationStatusDescription
draft-hexon-edge-protocol-00Internet-DraftHexon Edge Protocol (HXEP) — lightweight binary protocol for conveying original client IP address and port across proxy boundaries. 11 bytes (IPv4) / 23 bytes (IPv6). Works with TCP, UDP, and QUIC.

Hexon is built on open standards. We open-source selected libraries, contribute to the projects we build on, and design for interoperability from day one. When new protocols are introduced, they are documented openly and intended for future standardization.