Security Overview

FBI.tools is built with a security-first approach, implementing industry-standard protections to ensure the safety of user data and the integrity of the platform.

🛡️ XSS Mitigation

  • Context-Aware Escaping
    All user content is automatically escaped before rendering.
  • Content Security Policy
    Strict headers prevent MIME-sniffing and unauthorized script execution.
  • Safe Raw Views
    Raw content served as text/plain with nosniff headers.

🔒 SQL Injection Prevention

  • ORM Abstraction
    All queries are parameterized via Django ORM.
  • No Raw SQL
    Zero use of raw SQL queries in the codebase.

🚫 RCE Prevention

  • Extension Whitelisting
    Dangerous extensions (.php, .exe, .sh) are strictly blocked.
  • Forced Downloads
    Files served with Content-Disposition: attachment.
  • Non-Executable Storage
    Files stored safely and served via application logic.

🌐 Network Security

  • HTTPS Enforcement
    HSTS enabled with secure cookies.
  • Host Validation
    Strict Host header validation against whitelist.
  • CSRF Protection
    Token verification for all state-changing requests.

Data Privacy & Integrity

File Privacy

Uploaded files are stored in deep, randomized directory structures, making enumeration impossible. Private pastes are protected by strict access controls.