Security at fShare

🔐 Transfer Security

WebRTC DTLS-SRTP Encryption

fShare uses WebRTC DataChannels for all file transfers. The WebRTC specification mandates DTLS (Datagram Transport Layer Security) encryption — it cannot be disabled and is enforced at the browser level before any data is sent.

DTLS is based on the same TLS standard that secures HTTPS. Each transfer session generates fresh cryptographic keys; no key material persists after the session ends.

Peer-to-Peer Architecture

The architecture is inherently secure because there is no central point through which file data passes:

• Signaling phase: Our server exchanges connection metadata (SDP/ICE candidates) between browsers. This metadata contains no file content — only network routing information.
• Transfer phase: Once peers are connected, data flows directly browser-to-browser through an encrypted DataChannel. Our infrastructure is not in the data path.
• Session end: When either party closes their tab, the beam code is destroyed server-side and the WebRTC connection terminates. There is no way to resume or replay the session.

6-Digit Beam Code Security

The beam code is a session identifier, not an encryption key. The security model is:

• Codes use an alphanumeric character set avoiding ambiguous characters (0/O, 1/I/l)
• Each code maps to a unique WebRTC peer ID — no two simultaneous sessions can share a code
• Codes are valid for the lifetime of the sender's browser tab only
• If you suspect your code was intercepted before your recipient used it, simply close the tab and generate a new one

🔑 Account Security

Password Storage

Passwords are hashed using bcrypt with a cost factor calibrated to current hardware before storage. We store only the hash — even in the event of a database breach, your plaintext password cannot be recovered.

Session Management

• Sessions are represented by secure, cryptographically random tokens
• Session cookies are set with HttpOnly (prevents JavaScript access) and Secure (HTTPS-only) flags
• Sessions expire after 30 days of inactivity
• Signing out immediately invalidates the server-side session

Login Security

• Failed login attempts are rate-limited to prevent brute-force attacks
• All sign-in events are logged with IP address and timestamp for your security audit trail
• Password reset uses email-based token verification with short-lived, single-use tokens

Transport Security

All communication between your browser and fShare's servers uses HTTPS/TLS. HTTP connections are automatically redirected to HTTPS. We use modern TLS configurations with strong cipher suites.

📡 Infrastructure Security

• HTTPS everywhere — TLS with strong cipher suites; HSTS enforced
• SQL injection protection — all database queries use parameterized statements
• XSS prevention — output escaping applied to all user-generated content
• CSRF protection — session-based validation on state-changing API endpoints
• Content Security Policy — restricts which scripts and resources the browser may load
• Input validation — all user input is validated and sanitized server-side
• Minimal data exposure — since files are never stored, there is no file data to leak

📊 System Status