Status: Public Beta v0.1 · Security · Privacy-first · No blockchain
Security
Threat model, headers, rate limits, logging, and operational security for a hash-only, public-verify protocol.
Security & performance verification
- SecurityHeaders: A+ — view report
- PageSpeed (mobile): Perf 100 · A11y 100 · BP 96 · SEO 100 — view report
HTTP headers enforced: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Threat model
| Threat | Vector | Mitigation |
|---|---|---|
| Content exfiltration | Uploads | No file uploads. Hash-only API. |
| API abuse | Bots, floods | Per-IP and per-token limits. Idempotency on same hash. |
| Key compromise | Secrets leak | Scoped tokens, rotation, kid versioning, least privilege. |
| Clock drift | NTP skew | UTC timestamps. Tolerance in verify. Multi-source time. |
| Integrity | Tampering | HMAC-SHA256/Ed25519 signatures. Public verification URL. |
Headers & CSP
Content-Security-Policy:
default-src 'self' https://api.timeproofs.io https://timeproofs-api.jeason-bacoul.workers.dev;
worker-src 'self' blob:;
img-src 'self' data: https:;
style-src 'self' 'unsafe-inline';
script-src 'self' 'nonce-TP-2025' https://plausible.io https://static.cloudflareinsights.com;
connect-src 'self' https://api.timeproofs.io https://timeproofs-api.jeason-bacoul.workers.dev https://plausible.io;
font-src 'self' https: data:;
object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';
upgrade-insecure-requests- Strict referrer:
strict-origin-when-cross-origin. - HSTS via platform. DNSSEC recommended.
Rate limits
GET /api/verify: 60 rpm/IP.POST /api/verify: 60 rpm/IP.POST /api/timestamp: 30 rpm/token. Idempotent for same hash.
Key policy
- Signing algorithms:
HMAC-SHA256now,Ed25519planned with public JWKS. - Key rotation with
kid. Short-lived server tokens. Separate env keys.
// Node.js verify (HMAC)
import crypto from "node:crypto";
function verify({hash, ts, sig}, secret){
const msg = `${hash}|${ts}`;
const expect = crypto.createHmac("sha256", secret).update(msg).digest("hex");
return crypto.timingSafeEqual(Buffer.from(expect,'hex'), Buffer.from(sig,'hex'));
}Logging & retention
- No original content stored. Only hashes and minimal proof fields.
- Access logs minimized. Retention controlled. Backups tested.
security.txtand coordinated disclosure policy available.
Vulnerability disclosure
Report via /.well-known/security.txt. Provide steps and impact. We follow responsible timelines.
Dependencies & SBOM
- Automated dependency audit (Dependabot or equivalent).
- SBOM available per release. Review before tag.
Source: GitHub v0.1
Status & errors
/api/ping→ HTTP 200 when healthy.- Errors:
{"ok":false,"error":"…"}with 4xx/5xx.
Audits & validation
| Audit | Scope | Result | Link |
|---|---|---|---|
| Google PageSpeed | Mobile | Perf 100 · A11y 100 · BP 96 · SEO 100 | view |
| SecurityHeaders | HTTP headers | A+ | view |
| SSL Labs | TLS/HTTPS | A+ | view |
| Rich Results / JSON-LD | Schema | Valid | view |
| Mobile-Friendly Test | UX mobile | Compliant | view |
- Release manifest: /releases/v0.1.json
- GitHub v0.1: timeproofs
This page is verified by TimeProofs
Release: … ·
Hash: … ·
Verify
Timestamp created via TimeProofs API (public, privacy-first, no blockchain).