Security & Privacy
Security features, best practices, and privacy considerations
📑 Table of Contents
🔒 Security & Privacy
404 is built with security and privacy as core principles. This document outlines our security features, practices, and recommendations.🛡️ Security Features
Encryption
In Transit:- All web traffic uses HTTPS/TLS 1.3
- IRC uses SSL/TLS encryption (port 6697)
- Git supports SSH (port 22) and HTTPS (port 443)
At Rest:
- Password-protected files use strong encryption
- Database stored with appropriate file permissions
- Sensitive data is hashed, not stored in plaintext
XSS Protection
- Content Security Policy (CSP) headers
- HTML sanitization for user-generated content
- Markdown renderer with strict tag allowlist
- Automatic escaping of user input
CSRF Protection
- CSRF tokens on all state-changing operations
- SameSite cookie attributes
- Origin validation
Rate Limiting
Protection against abuse and DoS attacks:| Service | Limit |
|---|---|
| File uploads | 10/hour per IP |
| Paste creation | 20/hour per IP |
| API requests | 60/minute per IP |
| Login attempts | 5/15min per IP |
🔐 Authentication & Authorization
Password Security
Passwords are:- Hashed using Argon2id (memory-hard algorithm)
- Salted with unique per-user salt
- Never stored in plaintext
- Never transmitted over unencrypted connections
Session Management
- Secure session tokens (cryptographically random)
- HTTPOnly cookies (not accessible via JavaScript)
- Secure flag on cookies (HTTPS only)
- Automatic session expiration
- Logout on all devices supported
SSH Key Authentication
For git access:- Supports RSA, Ed25519, ECDSA keys
- Keys are validated before storage
- Per-key access control
- Key fingerprint verification
🌐 Tor & Anonymity
Onion Services
IRC Onion Address:iibkaohpbc7jizrszt7ve6tpxlnzd3osvaocv2r5wh3ojzi2trysg5id.onion:6667Benefits:
- End-to-end encryption
- Hidden IP addresses
- Censorship resistance
- No exit node vulnerabilities
Tor Best Practices
- Use Tor Browser for web access
- Connect via SOCKS proxy for IRC/Git
- Disable JavaScript when possible
- Don't leak personal information
- Use disposable identities
🔍 Privacy Measures
Data Collection
We collect minimal data:What we DON'T collect:
- Personal information
- Browsing history
- Analytics or tracking
- IP addresses (after request processing)
- Email addresses (optional, never required)
What we DO collect:
- Upload timestamps (for expiration)
- File metadata (size, type)
- Rate limiting data (temporary)
- Error logs (debugging only)
Data Retention
- Files: Deleted after expiration
- Pastes: Auto-delete after expiration
- Logs: Rotated weekly, deleted monthly
- User accounts: Deleted on request
No Third-Party Services
- No Google Analytics
- No Facebook tracking
- No CDNs (self-hosted assets)
- No external fonts
- No social media integrations
🚨 Security Best Practices
For Users
- Use strong, unique passwords
```bash
# Generate a random password
openssl rand -base64 32
```
- Enable 2FA (if available)
- Use password managers (KeePassXC, Bitwarden)
- Verify SSL certificates
- Keep software updated
For Developers
- Input validation on all user data
- Output encoding to prevent XSS
- Prepared statements to prevent SQL injection
- Least privilege principle for database access
- Security headers on all responses
For System Administrators
- Keep systems patched
- Use fail2ban for brute force protection
- Monitor logs for suspicious activity
- Backup regularly
- Test disaster recovery
🐛 Vulnerability Disclosure
Reporting Security Issues
If you discover a security vulnerability:- Do NOT disclose publicly
- Contact us privately:
- IRC: /msg admin on irc.4-0-4.io
- Email: security@4-0-4.io (PGP encouraged)
- Git: Private repository for security reports
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Our Commitment
- Acknowledgment within 48 hours
- Status updates every 72 hours
- Fix timeline provided after assessment
- Credit given (if desired)
- No legal action against responsible researchers
🔬 Security Audits
Internal Audits
Regular security reviews:- Code review for vulnerabilities
- Dependency scanning
- Penetration testing
- Security header validation
External Audits
We welcome:- Independent security audits
- Bug bounty programs (planned)
- Community security reviews
- Academic research
🛠️ Security Configuration
Web Server (Nginx)
# Security headers
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer";
add_header Content-Security-Policy "default-src 'self'";
# Disable server tokens
server_tokens off;
# SSL/TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;PHP Configuration
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
# Hide PHP version
expose_php = Off
# Session security
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = StrictDatabase (SQLite)
# Appropriate file permissions
chmod 600 /path/to/database.db
chown www-data:www-data /path/to/database.db
# Encrypted backups
sqlite3 database.db ".dump" | gpg -c > backup.sql.gpg📊 Incident Response
In Case of Breach
- Contain - Isolate affected systems
- Assess - Determine scope and impact
- Notify - Inform affected users
- Remediate - Fix vulnerabilities
- Review - Post-incident analysis
User Actions
If you suspect your account is compromised:- Change password immediately
- Review recent activity
- Revoke suspicious sessions
- Enable 2FA if not already active
- Report to administrators
📚 Additional Resources
Security Tools
Privacy Tools
Learning Resources
Security is a continuous process. Stay informed and stay safe!