Security in cypht

Maximum Security for Your Communications

Enterprise-grade encryption, secure authentication, and privacy-first architecture keep your communications safe. Your data stays yours.

Explore Security
Mail security illustration

Browser Security

Complete browser-level protection with data encryption, tracking protection, and secure cookie management.

  • Secure Cookie Management

    By default all cookies are session level, HTTP only, and have the secure flag, path, and domain values set (except one cookie used to pass user notices to the javascript)

  • Request Protection

    HTTP request header fingerprinting, CSRF token protection, and target/source origin mismatch blocking

  • Security Headers

    Security related HTTP headers like X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy

  • Resource Integrity

    Subresource Integrity for the 2 primary includes (site.js and site.css)

  • Session Management

    Configurable idle timeout module set that ends a session after a predetermined amount of time

  • Two-Factor Authentication

    Support for 2 factor authentication with any TOTP compatible authentication application

  • Encrypted Communication

    Optional AES encrypted AJAX responses and local session storage cache

  • Bot Protection

    reCAPTCHA support for the login form

Server Security

Our server infrastructure is reinforced with leading security protocols to protect your data against unauthorized access

  • Secure Connections

    TLS/STARTTLS support for IMAP, LDAP, and SMTP connections. OAuth2 over IMAP/SMTP is supported (currently only Gmail and Outlook support this feature).

  • Data Encryption

    Session level data is encrypted with a long random string generated on login. Data is stored server side, and the key is stored in a session level secure cookie. Persistent data between logins is encrypted with a key derived from your password, which is never stored.

  • Encryption Standards

    All encryption is done with libsodium if available, otherwise with AES-256-CBC, encrypt-then-MAC, and PBKDF2 key derivation using OpenSSL (NOT Mcrypt).

  • Server Hardening

    PHP ini settings are tightened up at runtime for extra security, including open basedir and session best practices. No writable files or directories are used inside the web-server document root.

  • Authentication

    Optional local DB based authentication using a salt and PBKDF2 (or libsodium using Argon2 if available).

  • Email Security

    HTML formatted E-Mail is filtered through HTMLPurifier with all external resources removed before rendering. Achieves perfect score from the "Email Privacy Tester".

Development Security

A proactive security approach in development, with code review, penetration testing, and continuous developer training.

  • Secure Coding Practices

    Cypht is built with a foundational focus on security. All user input is strictly validated and sanitized, and robust access control governs every request. Internally, it employs safe array access and output encoding to neutralize threats.

  • Secure Architecture

    Module design enforces separation of input processing and output formatting, with concise methods for better debugging and auditing. No direct access to PHP super-globals.

  • Input Validation

    Only white-listed and typed/sanitized input is allowed. Modules must pre-define input parameters to prevent injection attacks.

  • Comprehensive Testing

    ~98% unit test coverage with PHPUnit for the framework and core modules. UI tests using Selenium with Python bindings ensure interface reliability.

  • Continuous Integration

    Automated CI/CD pipeline with Travis CI for running UI tests, unit tests, and static code analysis on every commit.