Docs
Security Model
Veilo is built for shared hosting with a strict server boundary and browser-local transfer state.
Application Controls
CSP blocks inline scripts by default. The app uses same-origin JavaScript, no external runtime packages, no remote fonts, no analytics, no tracking pixels, no icon packs, and no favicon. WebTorrent is vendored locally and lazy-loaded.
Server Controls
State-changing endpoints require POST, CSRF tokens, same-origin checks, validation, prepared statements, and rate limiting. The PHP backend does not perform server-side URL previews, magnet fetches, torrent metadata fetches, or remote node fetches.
Privacy-Preserving Logs
Audit events use truncated IP ranges and HMAC-SHA256 hashes. IPv4 is truncated to /24 and IPv6 to /48 before hashing. Raw full IP addresses are not stored by default. Audit retention defaults to 30 days.
Shared-Hosting Deployment
.htaccess disables directory listing, denies config.php and sensitive extensions, blocks direct access to logs and storage, and applies security headers and static cache headers.