ContactVault Logo ContactVault ALPHA v.1.0

Security at ContactVault

Architecture at a glance

High‑level flow of data through the ContactVault backend.

Client (Applicant) TLS • CSP‑hardened UI ContactVault API AuthZ • PoW • Rate limits Email Relay Anonymized sender Encrypted Message Store XChaCha20‑Poly1305 • HKDF Signed Links HMAC • TTL • Replay block Ratings Endpoint One‑use tokens Employer

Modern encryption end to end

All sensitive payloads are sealed using an authenticated cipher (XChaCha20‑Poly1305) and keys derived with HKDF‑SHA256. Each record receives its own random salt and nonce, giving strong confidentiality and integrity.

  • Per‑message keys and nonces to prevent reuse.
  • Constant‑time comparisons to resist timing leaks.

Anonymity by design

Employers never see a sender’s personal email by default. Messages are relayed via an anonymized address so applicants control when and if they reveal their identity.

  • One‑click employer feedback through secure rating links.
  • Replay protection so each rating can be used only once.

Signed links with short lifetimes

Magic links and admin actions are protected with HMAC signatures, embedded nonces and explicit expiration. Tokens are verified on every use and marked as consumed to prevent reuse.

Abuse‑resistant by default

The API enforces burst limits, daily quotas and optional proof‑of‑work to slow down automated abuse without penalizing normal users.

  • Per‑IP throttling for hot paths.
  • Configurable proof‑of‑work gate for public forms.

Minimal retention, clear lifecycle

Operational data is stored only as long as needed to deliver messages and feedback. Retention jobs clean up automatically so old data doesn’t linger.

Hardened web surface

Strict defaults are shipped for common web risks.

  • Content Security Policy and frame protections.
  • HSTS and secure cookies where applicable.
  • Server‑side input validation and templating with auto‑escaping.

Operational safeguards

Detailed audit logging, health checks and alert thresholds help us detect anomalies fast. Outbound email is validated and sensitive fields are redacted in logs.

Responsible disclosure

If you believe you’ve found a security issue, please use our responsible disclosure channel. We review reports quickly and appreciate coordinated fixes.

What’s next

  • Session hardening with rotating, signed tokens.
  • Moving counters to a transactional store for even stronger DoS resistance.
  • Expanded security tests that continuously exercise rate limits and link flows.

These are incremental upgrades on top of a secure foundation already in place.