Status: Public Beta v0.2 · ProofSpec v0.1 · API v0.2 · Privacy-first · No blockchain

Security

Threat model, headers, rate limits, logging, and disclosure policy for proof-file verification (.tproof.json) — without uploading your content.

↑ Top

Last updated: 2025-12-30 · See also: Privacy · Legal

Security verification

Static site posture: no sessions, no accounts, no server-rendered pages.
No uploads: hashes are computed locally; you only send hashes to the API.
Bundle-first verification: verification is based on a proof file (.tproof.json), offline or via stateless verification.

This page documents controls; it is not a guarantee of security. Always verify a proof file using a trusted verifier and keep your device secure.

Threat model

Threat	Vector	Mitigation
Content exfiltration	Uploads	No file uploads; hashes computed locally; proof file contains no original content.
API abuse	Flooding	Rate limiting, strict validation, predictable 4xx/429 responses.
Proof forgery	Tampering	Signed proof file; verifiers reject modified fields/signatures.
Replay/spam	Automation	Abuse controls and operational monitoring.
Supply chain	Deps	Minimal dependencies; reviewed updates.

Headers & CSP

Content-Security-Policy:
  default-src 'self' https://api.timeproofs.io;
  worker-src 'self' blob:;
  img-src 'self' data: https:;
  style-src 'self' 'unsafe-inline';
  script-src 'self' 'nonce-TP-2025' https://plausible.io;
  connect-src 'self' https://api.timeproofs.io https://plausible.io;
  font-src 'self' https: data:;
  object-src 'none';
  base-uri 'self';
  form-action 'self';
  frame-ancestors 'none';
  upgrade-insecure-requests

Referrer policy: strict-origin-when-cross-origin.
Permissions-Policy: camera/microphone/geolocation disabled.
Service Worker: allowed via worker-src 'self' blob:.

Rate limits

Endpoints are rate-limited to mitigate floods and automated abuse.
Clients should handle HTTP 429 with backoff/retry.

Exact thresholds are operational controls and may change without notice.

Key policy

Environment separation: dev/staging/prod are isolated.
Rotation: keys can rotate without breaking the protocol (via kid).
Verifier safety: no client-side secrets required for verification.

The proof file contains the verification context (issuer, alg, kid) so independent tools can validate consistently.

Logging

No original content stored.
Minimal operational logs for reliability and abuse prevention.
Privacy details and principles are documented on Privacy.

Coordinated disclosure

Report vulnerabilities via /.well-known/security.txt. Include impact, reproduction steps, and affected URLs. Please avoid public disclosure before a fix is available.

For encrypted reports, use the PGP key listed in security.txt.

Dependencies

Prefer no/low dependencies; keep builds deterministic.
Review updates before publishing.

Source: GitHub (v0.2 branch)

Status & errors

Health endpoint returns HTTP 200 when healthy.
Clients should treat verification as read-only and safe to retry.
Error responses are designed to be predictable (4xx invalid input; 429 rate limits).

Operational checks

Area	Check	Notes
Browser	CSP + no framing + no mixed content	Frame-ancestors none; upgrade-insecure-requests.
Abuse	Rate limiting & validation	429 + backoff expected.
Secrets	No secrets in client	Signing stays server-side.
Privacy	Hash-only + proof-file model	No uploads; verification uses `.tproof.json`.
Disclosure	security.txt	Coordinated disclosure route.