# Security is everything.
Every design decision in Datpub begins with the safety and privacy of your data in mind. Datpub provides a data channel to transfer file for you, and Datpub will never hold or read your file content.
# Principle of least centralization
The role of the Datpub server is only to provide end-to-end communication handshakes. All information related to personal file security is not kept on Datpub but in your local PC only.
# Your files are end-to-end encrypted.
Your files shared/transferred by Datpub are end-to-end encrypted, and only you hold the keys to decrypt them. We can’t see your Datpub files, so we can’t use them, share them, or sell them.
# Local Access Log
The access history of your files will be saved at local PC only, so that you can know who/when/how your files were accessed clearly. Access logs are not stored on the datpub server to maximize your privacy.
# Local Access Control
All the information of shared files is stored in your PC only, and all the permission verification is performed on your PC:
- Disk path
- Anonymous access
- privileges(Enabled, Upload, Download, Expired Days, Cut/Copy/Paste/Delete, Create Folder, Rename)
# We use state-of-the-art security.
Your Datpub files are end-to-end encrypted to keep them safe at rest and in transit. Our security starts with AES 128-bit encryption, and we use multiple techniques to make sure only you have access to your information. We're continuously working to make sure our code is rock solid.
# Security Design
Datpub uses state-of-the-art security and end-to-end encryption to protect your files. Your files are always end-to-end encrypted, so they can never be shared or viewed by anyone but you and the intended recipients.
Datpub encrypts all files with 128-bit AES-GCM encryption before they leave the browser.
# Key management
The secret key used for end-to-end encryption is never shared with our servers. It is sent directly to your intended recipient when you send them the "share link". The secret key is added to the URI fragment which is never sent to the server. When an agent (such as a web browser) requests a web resource from a web server, the agent sends the URI to the server, but does not send the fragment.
# Web Crypto API
We use the browser's built in cryptography primitives via the Web Crypto API to encrypt files in the browser before they are sent to the recipient.
# File transport
Sent directly to the recipient via a peer-to-peer WebRTC connection Uploaded to our servers (assuming they are within the file size limit) A fully peer-to-peer transfer is preferred, since it improves speed and privacy. The server copy helps to ensure files continue to be available even after the sender closes their browser. All files are end-to-end encrypted before they are uploaded or sent peer-to-peer.
# Encryption at rest
In addition to Datpub's end-to-end encryption, your files are protected by an additional layer of encryption on our servers.
# Transport Layer Security (TLS)
TLS (formerly known as SSL) is the industry-standard encryption protocol used to encrypt communications between your browser and our servers. It ensures that the Datpub webpage code is not modified by attackers, and provides an additional layer of protection on top of the client-side end-to-end encryption to ensure data uploads and downloads are private.
We support TLS 1.3 for modern devices and TLS 1.2 for all remaining devices. Deprecated versions of TLS and SSL are not used.
Qualys SSL Labs rates our TLS implementation an A+. See report.
# Supply Chain Security
In order to protect Datpub users, we audit every open source package we use to detect and block dozens of package issues.
# Certificate Transparency Logs
We monitor the Certificate Transparency logs for certificate misissuance.
# DNS Certification Authority Authorization (CAA) Policy
A Certification Authority Authorization (CAA) policy allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain.
By publishing a CAA record, we reduce the risk of unintended or malicious certificate misissuance.
# Domain Name System Security Extensions (DNSSEC)
DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) cryptographic authentication of DNS data, authenticated denial of existence, and data integrity.
We deploy DNSSEC to protect DNS records for Datpub.app.
# Datagram Transport Layer Security (DTLS)
DTLS is the standard encrypton protocol used to encrypt WebRTC peer-to-peer communications between browsers. It provides an additional layer of protection on top of our own encryption to keep peer-to-peer transfers on Datpub private.
# Web security
Datpub is configured with state-of-the-art security options to lock down the site as much as possible.
Mozilla Observatory rates our site configuration an A+.
Here are a few of the security features we deploy.
Datpub uses this header to ensure that your browser always communicates with our servers using the TLS protocol.
We additionally include Datpub.app in all major browser's HTTP Strict Transport Security (HSTS) preload lists. In the case of .app domains, the entire TLD is automatically included in the HSTS preload list.
Datpub uses this header to prevent other origins from accessing data on Datpub.app. This is a mitigation for side-channel hardware vulnerabilities such as Meltdown and Spectre.
Datpub uses this header to enable cross-origin isolation. Cross-origin isolation ensures that supported browsers always load Datpub in a separate renderer process, which protects against side-channel hardware vulnerabilities such as Meltdown and Spectre.
Datpub uses this header to disable some web browser features that we don't need, like camera and microphone access.
Datpub uses Content Security Policy to prevent the site from being tricked into accessing resources (such as scripts, webpages, etc.) that could be used in Cross Site Sripting attacks.
If you've found a security vulnerability in Datpub, please report it using our Responsible Disclosure Process.