SECURITY_

Full-Stack Protection // Server to Browser

Security in DΛREΛKT_ is not a feature — it is the architecture. From the server infrastructure to the browser runtime, every layer is hardened, monitored, and auditable. No add-ons, no premium tiers, no exceptions.

Your site is protected by the same security stack we use ourselves — because we host on the same infrastructure.

Server Infrastructure

Dedicated, hardened infrastructure — not shared hosting. Every request is analysed, every threat is scored.

FIREWALL_

Real-Time Threat Detection

  • Every HTTP request analysed for attack patterns in real time
  • SQL injection, XSS, command injection, path traversal detection
  • Scanner and bot fingerprinting (Nikto, sqlmap, WPScan, and more)
  • Unknown host probing detected and flagged
  • Automatic threat scoring — IPs accumulate risk points over time
  • Score decay ensures stale threats don't dominate forever

Detection runs on every request — fire-and-forget, zero added latency

BLOCKING_

Automatic Response

  • CrowdSec community threat intelligence — shared blocklists from thousands of servers
  • Fail2Ban monitoring across SSH, nginx, and application layers
  • UFW firewall rules applied automatically on threshold breach
  • Configurable auto-block on critical events (instant) or score accumulation (gradual)
  • IP whitelisting to prevent accidental lockouts
  • Manual block/unblock via admin dashboard

Three independent systems working together — CrowdSec, Fail2Ban, UFW

RATE LIMITING_

Brute Force Protection

  • API endpoints rate-limited to prevent abuse
  • Authentication endpoints have stricter limits — 20 attempts per 15 minutes
  • Per-IP tracking with automatic cooldown
  • Geo-blocking — country-level access control (block or flag mode)
  • Configurable thresholds per endpoint type

Every login attempt, every API call — metered and controlled

INTEGRITY_

File System Monitoring

  • SHA-256 hash baselines for all critical server files
  • Automated integrity checks every 5 minutes
  • Instant alerts on any file modification, addition, or deletion
  • Covers server config (nginx, SSH, PM2), application code, and dependencies
  • Baseline reset after verified intentional changes

If a file changes and it was not you — you will know within minutes

Monitoring & Alerts

24/7 automated monitoring — you get notified before your users notice anything.

UPTIME_

3-Minute Health Checks

  • Every hosted site checked every 3 minutes
  • HTTP status code and response latency tracked
  • Instant notification on DOWN transition
  • Recovery notification with total downtime duration
  • Consecutive failure threshold prevents false alarms

If your site goes down at 3am, you know by 3:03am

SSL_

Certificate Lifecycle Management

  • All SSL certificates monitored twice daily
  • 14-day and 7-day expiry alerts via webhook
  • Protocol version and cipher suite validation
  • HSTS header verification
  • Automatic renewal via Let's Encrypt

No expired certificates, no browser warnings, no lost trust

ALERTS_

Real-Time Notifications

  • Discord and Slack webhook integration
  • Categorised alerts: critical events, auto-blocks, brute force, integrity violations
  • Uptime transition alerts (DOWN/UP) with timestamps
  • SSL expiry warnings with days remaining
  • Daily security digest option
  • Configurable cooldown to prevent alert fatigue

Monitor your infrastructure from your phone — no dashboard required

SCORE_

Security Grade Dashboard

  • 100-point security score across 7 categories
  • Grades from A+ to F — like a security credit score
  • SSH hardening (25 pts): key auth, root login, max auth tries
  • SSL posture (20 pts): protocol, HSTS, certificate validity
  • Dependencies (15 pts): npm vulnerability audit
  • File integrity (10 pts): baseline compliance
  • Protection (15 pts): firewall, CrowdSec, Fail2Ban status
  • Uptime (10 pts): availability percentage
  • Rate limiting (5 pts): API and auth protection

One number that tells you exactly where you stand

Authentication & Access

Multi-layered authentication with modern standards — no shortcuts.

TWO-FACTOR_

TOTP Authentication

  • Google Authenticator compatible (any TOTP app)
  • QR code setup directly from the admin dashboard
  • 10 single-use backup codes generated on activation
  • Backup codes are SHA-256 hashed — never stored in plaintext
  • Short-lived 2FA tokens (5-minute expiry) during login flow
  • Password required to disable — no silent deactivation

Even if your password leaks, your account stays locked

SESSION_

JWT + Cookie Security

  • HTTP-only, secure, SameSite cookies — no JavaScript access
  • Site-scoped authentication — no cross-site session leaking
  • Configurable session duration with remember-me option
  • Automatic admin role assignment via verified email domains
  • Role-based access control at every API endpoint

Sessions are scoped, secured, and server-verified on every request

Runtime Security

17 hardening levels built into the browser runtime — every byte that enters or leaves is accounted for.

EVIDENCE CHAIN_

Immutable Audit Trail

  • Every significant runtime event produces a hash-chain entry
  • SHA-256 linked entries — each one references the previous
  • Server-signed checkpoints every 200 entries or 30 seconds
  • Evidence grades: EVIDENCE_GRADE, UNTRUSTED_EVIDENCE, BROKEN
  • A single tainted entry flags the entire chain
  • Cross-session verification via persistent run IDs

Cryptographic proof of what happened, when, and in what order

CAPABILITY TOKENS_

Operation-Scoped Authorization

  • Sensitive operations require single-use capability tokens
  • Tokens bound to { operation, moduleId, sessionId }
  • Time-expiring, closure-held — cannot be replayed or intercepted
  • Well-known operations: audit clear, vault reset, quarantine
  • Dual-gate verification — no blanket admin access

Every privileged action requires a fresh, scoped, single-use token

EGRESS GATE_

Outbound Request Control

  • All outbound requests (fetch, XHR, WebSocket) captured at boot
  • Policy-enforcing wrappers on every network call
  • Cross-origin scripts require Subresource Integrity (SRI)
  • Only SHA-256/384/512 integrity hashes accepted
  • IPv6 link-local, multicast, and mapped-v4 addresses blocked
  • Credential-bearing and protocol-relative URLs rejected

Nothing leaves the runtime without passing through the gate

CSP_

Content Security Policy — Zero Debt

  • Nonce-based style-src — zero unsafe-inline directives
  • Per-request cryptographic nonce generation
  • Trusted Types enforcement for DOM manipulation
  • 17 hardening levels (N0 through N17) — each independently verifiable
  • 84+ security checks passing
  • SPKI key pinning for signature verification

CSP debt: ZERO — every directive fully hardened

Security Is Not Optional

Every site hosted on DΛREΛKT_ gets the full security stack. No tiers, no add-ons, no compromises. From the server to the browser, from the firewall to the evidence chain — security is the architecture.

This is not a feature list. This is how we build.

Hardened infrastructure. Real-time threat detection. Cryptographic evidence chains. Two-factor authentication. 17 browser hardening levels. Zero CSP debt. Every site. Every plan. Always.