Security

How we protect your data and keep the platform safe.

Authentication

  • Passwords hashed with bcrypt
  • JWT-based session tokens
  • HTTP-only, secure, SameSite=strict cookies
  • Rate limiting on login and registration
  • Account lockout after repeated failures

Data Protection

  • HTTPS enforced on all connections
  • Database backups with integrity checks
  • No plaintext secrets in source control
  • Minimal data collection policy

Application Security

  • CSRF token validation on all forms
  • Content Security Policy headers
  • Input sanitization and validation
  • Parameterized database queries
  • Strict CORS configuration

Monitoring

  • Automated health checks every 30 seconds
  • Failed login attempt tracking
  • Real-time status dashboard
  • Audit logging for administrative actions

Infrastructure

  • Reverse proxy with SSL termination
  • Firewall rules restricted to required ports
  • Isolated service architecture
  • Automated deployment pipeline

End-to-End Encryption

  • Secure Channel uses client-side encryption
  • Secure Notes encrypted before leaving your device
  • Server never has access to plaintext content
  • Keys managed on your device only

Responsible Disclosure

If you find a security vulnerability in Darklock, please let us know privately before disclosing it publicly. We take every report seriously and will work to patch issues quickly.

Email us at [email protected] with details of the vulnerability, steps to reproduce, and any relevant screenshots or logs. We will acknowledge your report within 48 hours.