This document provides an overview of the security architecture. For detailed information, see the specific documentation:

• Encryption & Zero-Knowledge Architecture - How data is encrypted client-side and why the backend cannot decrypt secrets
• IP Whitelist & Rate Limiting - Access control, rate limiting, and trusted proxy configuration
• Container Image Security - Vulnerability scanning results and security scanning procedures

All encryption happens in the browser, ensuring maximum privacy:

• All encryption happens in the browser
• Backend stores only encrypted data
• Encryption keys never transmitted to server
• Backend operators cannot read secrets

Read more →

Multi-layered protection against abuse:

• Rate limiting (enabled by default)
• IP whitelist support
• Per-IP custom limits
• Trusted proxy validation

Read more →

Regularly scanned images with zero vulnerabilities:

• Regular vulnerability scanning with Trivy
• Alpine-based minimal images
• Zero known vulnerabilities

Read more →

Secrets are encrypted in your browser before transmission. The server cannot decrypt your data. Share the generated URL securely.

Key points:

• Your secret is encrypted before leaving your browser
• The server never sees unencrypted data
• Share Secret URLs only through secure channels
• Secrets expire automatically (max 7 days)

1. Review encryption architecture to understand zero-knowledge model
2. Configure rate limiting and IP whitelist if needed
3. Monitor container security scan results

Configuration files:

• Main config: pw.yml
• Environment variables: See individual security docs

If you discover a security vulnerability, please report it to the project maintainers. Do not create public GitHub issues for security vulnerabilities.