🔒 Any question about security ?

Maximum Security for Your Communications

Protect your emails with advanced encryption and guaranteed privacy.

Browser Security

Complete browser-level protection with data encryption, tracking protection, and secure cookie management.

Secure Cookie Management

By default all cookies are session level, HTTP only, and have the secure flag, path, and domain values set (except one cookie used to pass user notices to the javascript)
Request Protection

HTTP request header fingerprinting, CSRF token protection, and target/source origin mismatch blocking
Security Headers

Security related HTTP headers like X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy
Resource Integrity

Subresource Integrity for the 2 primary includes (site.js and site.css)
Session Management

Configurable idle timeout module set that ends a session after a predetermined amount of time
Two-Factor Authentication

Support for 2 factor authentication with any TOTP compatible authentication application
Encrypted Communication

Optional AES encrypted AJAX responses and local session storage cache
Bot Protection

reCAPTCHA support for the login form

Our server infrastructure is reinforced with leading security protocols to protect your data against unauthorized access

Secure Connections

TLS/STARTTLS support for IMAP, LDAP, and SMTP connections. OAuth2 over IMAP/SMTP is supported (currently only Gmail and Outlook support this feature).
Data Encryption

Session level data is encrypted with a long random string generated on login. Data is stored server side, and the key is stored in a session level secure cookie. Persistent data between logins is encrypted with a key derived from your password, which is never stored.
Encryption Standards

All encryption is done with libsodium if available, otherwise with AES-256-CBC, encrypt-then-MAC, and PBKDF2 key derivation using OpenSSL (NOT Mcrypt).
Server Hardening

PHP ini settings are tightened up at runtime for extra security, including open basedir and session best practices. No writable files or directories are used inside the web-server document root.
Authentication

Optional local DB based authentication using a salt and PBKDF2 (or libsodium using Argon2 if available).
Email Security

HTML formatted E-Mail is filtered through HTMLPurifier with all external resources removed before rendering. Achieves perfect score from the "Email Privacy Tester".

A proactive security approach in development, with code review, penetration testing, and continuous developer training.

Secure Coding Practices

Easy output escaping inside modules for potentially dangerous content. Development is done with PHP's "E_ALL" and "E_STRICT" error reporting for maximum code quality.
Secure Architecture

Module design enforces separation of input processing and output formatting, with concise methods for better debugging and auditing. No direct access to PHP super-globals.
Input Validation

Only white-listed and typed/sanitized input is allowed. Modules must pre-define input parameters to prevent injection attacks.
Comprehensive Testing

~98% unit test coverage with PHPUnit for the framework and core modules. UI tests using Selenium with Python bindings ensure interface reliability.
Continuous Integration

Automated CI/CD pipeline with Travis CI for running UI tests, unit tests, and static code analysis on every commit.