Security

CloakProbe is built with security and privacy as core principles. This page documents the security features and our privacy philosophy.

Security Headers

Every response from CloakProbe includes comprehensive security headers:

Content-Security-Policy

Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://cloudflare-dns.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

default-src ‘self’: Only load resources from same origin
connect-src ‘self’ https://cloudflare-dns.com: Allows connections to Cloudflare DoH for reverse DNS lookup (client-side only)
frame-ancestors ‘none’: Prevents clickjacking (no iframes)
form-action ‘self’: Forms can only submit to same origin

Other Headers

Header	Value	Purpose
`Referrer-Policy`	`strict-origin-when-cross-origin`	Limits referrer information
`X-Frame-Options`	`DENY`	Prevents framing (clickjacking)
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains`	Forces HTTPS
`X-Content-Type-Options`	`nosniff`	Prevents MIME sniffing
`Permissions-Policy`	(restrictive)	Disables browser features

Permissions-Policy

Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()

This disables all potentially privacy-invasive browser APIs.

Privacy Philosophy

What We Don’t Do

No tracking: Zero analytics, no tracking pixels, no fingerprinting
No cookies: No cookies are set
No third-party requests: All resources loaded from same origin (except optional client-side reverse DNS lookup)
No external API calls: ASN/organization lookups use local databases
No automatic external requests: The page does not send any external requests automatically, neither client-side nor server-side
No logging (strict mode): IP addresses are not logged

Reverse DNS Lookup

CloakProbe includes an optional client-side reverse DNS lookup feature:

User-initiated only: The reverse DNS lookup is performed only when you explicitly click the “Lookup Reverse DNS” button. The page does not perform any DNS queries automatically.
Client-side only: The lookup happens entirely in your browser using Cloudflare’s DNS over HTTPS (DoH) service at cloudflare-dns.com. No data is sent to the CloakProbe server.
Privacy-focused: Cloudflare’s DoH service is privacy-focused and does not log queries. Your DNS query is sent directly from your browser to Cloudflare’s DNS service.
No data storage: The reverse DNS lookup result is displayed only in your browser and is not stored or logged by CloakProbe.

What Data We Process

CloakProbe processes only what’s necessary to fulfill the request:

IP Address: Read from headers, used for lookup, returned to you
HTTP Headers: Read to extract connection info, echoed back
Nothing stored: Data is processed in memory and discarded

Privacy Modes

Strict Mode (Default)

CLOAKPROBE_PRIVACY_MODE=strict

No logging of IP addresses
Minimal information exposed
Response includes logs_retained: false

Balanced Mode

CLOAKPROBE_PRIVACY_MODE=balanced

Standard logging for operations
Full information exposed
Response includes logs_retained: true

Local Databases

CloakProbe uses local databases to avoid sending your IP to third parties:

IP-to-ASN Database

Source: iptoasn.com (Public Domain/PDDL)
Contains: IP range → ASN mappings
Privacy: No external requests during lookup

RIPE Organization Database

Source: RIPE NCC dumps
Contains: ASN → Organization name
Privacy: No external requests during lookup

Both databases are downloaded during installation and updated via cron. The lookup happens entirely in memory.

Input Validation

CloakProbe validates all input:

IP addresses are parsed and validated
Headers are sanitized before processing (HTML entities escaped to prevent XSS)
All Cloudflare header values are sanitized before HTML rendering
JSON responses also sanitize header values for safe output
No user input is executed or interpolated unsafely

Cloudflare Worker Headers Support

When using a Cloudflare Worker to forward Cloudflare data to CloakProbe, all custom headers (X-CF-*) are automatically:

Extracted and parsed
Sanitized for safe display
Organized into logical sections (Geo Location, Network, Connection, Security, Proxy Headers)
Displayed in both HTML UI and JSON/plain API responses

See Cloudflare Setup for information on setting up a Cloudflare Worker.

Attack Surface

CloakProbe has a minimal attack surface:

No database connections: Uses memory-mapped files
No authentication: No credentials to steal
No user accounts: No account takeover possible
No file uploads: No file handling
Read-only operations: Only responds to GET requests

Deployment Security

Run as Non-Root

The systemd service runs as the cloakprobe user:

User=cloakprobe
Group=cloakprobe

Filesystem Restrictions

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadOnlyPaths=/opt/cloakprobe

Network Restrictions

Recommended firewall configuration:

# Only allow Cloudflare IPs (if using Cloudflare)
# Block direct access to port 8080
# Allow only localhost connections

Reporting Vulnerabilities

If you discover a security vulnerability:

Do not open a public issue
Email security concerns privately
See SECURITY.md

Open Source

CloakProbe is open source under AGPL-3.0. You can:

Inspect all code
Verify security claims
Run your own instance
Contribute improvements

Repository: github.com/drmckay/cloakprobe