📝 Dasho's Blog

Need help?

💬 Join #help on IRC

or ask on our Chat

Security & Privacy

Security features, best practices, and privacy considerations

✍️ Dasho 📅 2026-02-07
security privacy encryption anonymity tor

📑 Table of Contents

🔒 Security & Privacy

I built 404 with security and privacy in mind. This document explains that mind in detail, covering encryption, authentication, anonymity, and best practices for users and developers.

🛡️ Security Features

Encryption

In Transit:

  • All web traffic uses HTTPS/TLS 1.3, and onion services use end-to-end encryption by standard Tor protocols. Now, I know these aren't exactly "features" since they're just how the internet works, but I want to be clear that all communication is encrypted by default.
  • IRC does use SSL/TLS encryption (port 6697) - but this can be finicky cause of SSL certs, so I also support unencrypted connections on port 6667 for users who prefer that (or have trouble with SSL). Just be aware that unencrypted IRC traffic can be intercepted (but over Tor it's still protected). The IRC database is encrypted at rest, so even if someone got access to it, they wouldn't be able to read the contents without the encryption key (which is stored securely and not accessible to unauthorized users, and is first encoded before being wrapped into the binary of the server, so it's not just sitting in a config file).
  • Git supports SSH (port 22) and HTTPS (port 443).

At Rest:

  • Password-protected files use symmetric encryption (AES-256-GCM)
  • Database stored with appropriate file permissions and encrypted backups
  • Sensitive data is hashed, not stored in plaintext (e.g. passwords with Argon2id)

XSS Protection

  • Content Security Policy (CSP) headers, which means only trusted sources can execute scripts or load resources, and of course there are no scripts or external resources on the site, so this is just an extra layer of protection
  • HTML sanitization for user-generated content (obviously)
  • Markdown renderer with strict tag allowlist
  • Automatic escaping of user input

CSRF Protection

  • CSRF tokens on all state-changing operations (csfr tokens are generated per session and validated on the server for POST requests)
  • SameSite cookie attributes to prevent cross-site requests
  • Origin validation for sensitive actions

Rate Limiting

Protection against abuse and DoS attacks:

ServiceLimit
File uploads10/hour per user
Paste creation20/hour per user
API requests60/minute per user
Login attempts5/15min per user

🔐 Authentication & Authorization

Password Security

Passwords are:

  • Hashed using Argon2id (memory-hard algorithm)
  • Salted with unique per-user salt
  • Never stored in plaintext
  • Never transmitted over unencrypted connections

Session Management

  • Secure session tokens (cryptographically random)
  • HTTPOnly cookies (not accessible via JavaScript)
  • Secure flag on cookies (HTTPS only)
  • Automatic session expiration (2 hours)
  • Logout on all devices supported

SSH Key Authentication

For git access:

  • Supports RSA, Ed25519, ECDSA keys
  • Keys are validated before storage
  • Per-key access control
  • Key fingerprint verification

🌐 Tor & Anonymity

Onion Services

IRC Onion Address:

iibkaohpbc7jizrszt7ve6tpxlnzd3osvaocv2r5wh3ojzi2trysg5id.onion:6667

Benefits:

  • End-to-end encryption (over tor)
  • Hidden IP addresses
  • Censorship resistance
  • No exit node vulnerabilities

Tor Best Practices

  1. Use Tor Browser for web access
  2. Connect via SOCKS proxy for IRC/Git
  3. Disable JavaScript when possible
  4. Don't leak personal information
  5. Use disposable identities

🔍 Privacy Measures

Data Collection

I collect minimal data:

What I DON'T collect:

  • Personal information
  • Browsing history
  • Analytics or tracking
  • IP addresses (after request processing)
  • Email addresses (optional, never required)

What I DO collect:

  • Upload timestamps (for expiration)
  • File metadata (size, type)
  • Rate limiting data (temporary)
  • Error logs (debugging only)

Data Retention

  • Files: Deleted after expiration (or on valid report)
  • Pastes: Auto-delete after expiration
  • Logs: None, simple as
  • User accounts: Deleted through account settings. There are no backups of user data, so once you delete your account, it's gone for good.

No Third-Party Services

  • No Google Analytics
  • No Facebook tracking
  • No CDNs (self-hosted assets)
  • No external fonts
  • No social media integrations

🚨 Security Best Practices

For Users

  1. Use strong, unique passwords (or just use a password manager)

# Generate a random password
openssl rand -base64 32
  1. Enable 2FA (if available)
  2. Use password managers (KeePassXC, Bitwarden)
  3. Verify SSL certificates
  4. Keep software updated

For Developers

  1. Input validation on all user data
  2. Output encoding to prevent XSS
  3. Prepared statements to prevent SQL injection
  4. Least privilege principle for database access
  5. Security headers on all responses

For System Administrators

  1. Keep systems patched
  2. Use fail2ban for brute force protection
  3. Monitor logs for suspicious activity
  4. Backup regularly
  5. Test disaster recovery

🐛 Vulnerability Disclosure

Reporting Security Issues

If you discover a security vulnerability:

  1. Do NOT disclose publicly
  2. Contact me privately:

- IRC: /msg Dasho on irc.4-0-4.io

- Email: sec@dasho.dev (PGP encouraged)

- Git: Private repository for security reports

  1. Include:

- Description of the vulnerability

- Steps to reproduce

- Potential impact

- Suggested fix (if any)

My Commitment

  • Acknowledgment within 48 hours (well lol I'll try)
  • Status updates every 72 hours (again, I'll try)
  • Fix timeline provided after assessment
  • Credit given (if desired)
  • No legal action against responsible researchers

🔬 Security Audits

Internal Audits

Regular security reviews:

  • Code review for vulnerabilities
  • Dependency scanning
  • Penetration testing
  • Security header validation

External Audits

I welcome:

  • Independent security audits
  • Bug bounty programs (planned)
  • Community security reviews
  • Academic research

🛠️ Security Configuration

Web Server (Nginx)

# Security headers
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer";
add_header Content-Security-Policy "default-src 'self'";

# Disable server tokens
server_tokens off;

# SSL/TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;

PHP Configuration

# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen

# Hide PHP version
expose_php = Off

# Session security
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = Strict

Database (SQLite)

# Appropriate file permissions
chmod 600 /path/to/database.db
chown www-data:www-data /path/to/database.db

# Encrypted backups
sqlite3 database.db ".dump" | gpg -c > backup.sql.gpg

📊 Incident Response

In Case of Breach

  1. Contain - Isolate affected systems
  2. Assess - Determine scope and impact
  3. Notify - Inform affected users
  4. Remediate - Fix vulnerabilities
  5. Review - Post-incident analysis

User Actions

If you suspect your account is compromised:

  1. Change password immediately
  2. Review recent activity
  3. ~~Revoke suspicious sessions~~ (you can only have one session at a time, so just log out and log back in to invalidate any other sessions)
  4. Enable 2FA if not already active (coming soon)
  5. Report to me

📚 Additional Resources

Security Tools

Privacy Tools

Learning Resources


Security is a continuous process. Stay informed and stay safe!

Last updated: 2026-02-07

← Previous Git Server Documentation Next → GPG