PasteProof LogoPasteProof
Security Best Practices

Security

Learn about PasteProof's security features and best practices for keeping your data safe.

Privacy-First Architecture

PasteProof is designed with privacy as a core principle:

  • Local Detection
    All core PII detection happens locally in your browser. No data is sent to a server in the free version.
  • Optional Cloud Features
    Premium features like AI-powered detection and analytics are opt-in and only used when you explicitly enable them.
  • Self-Hosting Support
    You can self-host the backend to have complete control over your data and infrastructure.

Data Handling

What Data is Processed?

  • Free Version: All detection happens locally. No data leaves your browser.
  • Premium Features: When enabled, only the text content you paste is sent to our API for AI-powered detection. This data is processed and not stored.
  • Analytics: If enabled, anonymized detection statistics are stored for your account.

Data Storage

  • Your whitelist, custom patterns, and preferences are stored securely in our database.
  • All data is encrypted in transit using HTTPS/TLS.
  • Sensitive data like API keys are hashed before storage.

API Security

All API requests are secured using industry-standard practices:

  • API Key Authentication
    All API requests require a valid API key in the X-API-Key header.
  • HTTPS Only
    All API endpoints require HTTPS. HTTP requests are automatically redirected.
  • Rate Limiting
    API endpoints are rate-limited to prevent abuse and ensure fair usage.
  • Input Validation
    All inputs are validated and sanitized to prevent injection attacks.

Self-Hosting Security

If you're self-hosting PasteProof, follow these security best practices:

  • Keep Your API Key Secret
    Never commit your API key to version control. Use environment variables or secure secret management.
  • Use HTTPS
    Always use HTTPS in production. Configure SSL/TLS certificates for your domain.
  • Regular Updates
    Keep your self-hosted backend updated with the latest security patches.
  • Monitor Access
    Review audit logs regularly to detect any unauthorized access attempts.

Browser Extension Security

The PasteProof browser extension follows security best practices:

  • Minimal Permissions
    The extension only requests the minimum permissions needed to function. It can only access pages you visit, not your entire browsing history.
  • Content Security Policy
    The extension follows strict Content Security Policy (CSP) rules to prevent XSS attacks.
  • Manifest V3
    Built with Manifest V3 for enhanced security and performance.
  • Open Source
    The extension code is open source, allowing security audits and community review.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

  • Do not open a public GitHub issue for security vulnerabilities.
  • Email security concerns to security@pasteproof.com
  • Include details about the vulnerability and steps to reproduce (if applicable).
  • We will respond within 48 hours and work with you to resolve the issue.

Additional Resources