🛡️ Security Features

🔒 AES-256-CBC Encryption Military-Grade

Every file uploaded to FileWalla is encrypted using AES-256-CBC encryption, the same standard used by governments and militaries worldwide to protect classified information.

• Unique encryption keys per organization
• Secure key derivation from master key (stored in environment variables)
• Server-side encryption with master key management
• Enables legal content moderation while maintaining strong security

🛡️ Server-Side Encryption vs End-to-End

FileWalla uses strong server-side encryption (AES-256) to protect all files at rest, along with encryption in transit (TLS) to protect data during transfer.

We have intentionally chosen a server-side encryption model rather than end-to-end encryption. This decision allows us to provide essential security and compliance features, including malware scanning, abuse detection, lawful content moderation, and secure file recovery options.

While end-to-end encryption prevents even the service provider from accessing content, it also removes the ability to scan for viruses, prevent illegal content distribution, assist users who lose credentials, or comply with legal obligations in regulated jurisdictions such as Canada.

Our approach balances privacy, security, and legal responsibility. Files stored on our servers cannot be accessed outside the FileWalla system, and strict access controls govern any administrative decryption capabilities.

We believe responsible security means protecting user data while also preventing misuse and maintaining compliance with applicable laws. Our encryption model reflects that balance.

🛡️ Multi-Tier Virus Scanning Active

All files are scanned for viruses and malware BEFORE encryption using a multi-layered approach:

• ClamAV (Primary): Industry-standard antivirus with daily updates
• phpMussel (Fallback): Pattern-based malware detection
• Zero-Trust Policy: Uploads blocked if no scanner available
• Scan Verification: Visual badges show which scanner verified each file
• Comprehensive Logging: All scan events recorded in audit trail

🚫 Encrypted Archive Blocking Zero-Tolerance

Password-protected ZIP, RAR, and 7z files are automatically blocked to prevent abuse and ensure all content can be scanned for illegal material.

• Automatic detection of encrypted/password-protected archives
• 3-strike violation system with automatic suspension
• Admin alerts for repeated violations
• Prevents criminal abuse and CSAM distribution

✅ File Integrity Verification

Every file includes SHA-256 checksums to verify integrity and detect tampering.

• SHA-256 hash generated on upload
• Automatic verification on download
• Tamper detection and corruption alerts

🔐 Bcrypt Password Hashing Industry-Standard

All passwords are hashed using Bcrypt with cost factor 10, making them virtually impossible to crack even if the database is compromised.

• One-way hashing (passwords can't be decrypted)
• Automatic salt generation
• Password complexity requirements enforced
• Minimum 8 characters, uppercase, lowercase, numbers, special characters

📱 Two-Factor Authentication (2FA) Google Authenticator

Optional 2FA using Google Authenticator adds an extra layer of security to your account.

• TOTP (Time-based One-Time Password) implementation
• QR code setup for easy configuration
• Backup codes for account recovery
• Mandatory for admin accounts

🚨 Progressive Brute Force Protection Multi-Layered

Advanced multi-tier protection against login attacks with escalating countermeasures:

• Standard Brute Force: 5 failed attempts in 5 minutes → 10-minute IP lockout
• Dictionary Attack: 20+ attempts per minute → 1-hour IP lockout + admin alert
• Repeat Offenders: 3 dictionary attacks in 24 hours → PERMANENT BAN
• Comprehensive Logging: All failed attempts tracked with IP, timestamp, and audit trail
• Automatic Alerts: Admin notified of all security events via email

🍪 Secure Session Management

Sessions are configured with maximum security settings to prevent hijacking and theft.

• HTTPOnly cookies (prevents JavaScript access)
• Secure flag (HTTPS-only transmission)
• Session regeneration on login
• Automatic timeout after inactivity

💉 SQL Injection Prevention 100% Coverage

All database queries use PDO prepared statements, making SQL injection attacks impossible.

• Parameterized queries throughout entire codebase
• Input sanitization and validation
• Database abstraction layer for portability

🔍 Comprehensive Audit Logging

Every security-relevant action is logged with full details for forensic analysis.

• User logins, logouts, password changes
• File uploads, downloads, deletions
• Failed login attempts and security lockouts
• Admin actions and system changes
• IP addresses, timestamps, and user agents

⚖️ Legal Compliance Tools Canadian Law

Built-in tools for legal content moderation and compliance with Canadian law.

• Content moderation dashboard for admins
• CSAM reporting to NCMEC/Cybertip.ca/RCMP
• Evidence preservation for law enforcement
• Prevent criminal abuse while maintaining privacy

👥 Role-Based Access Control

Three-tier permission system for group collaboration with clear hierarchies.

• Owner: Full control, billing management, member approval
• Admin: Member management, file moderation
• Member: File sharing, messaging within group

🌐 Secure Hosting

Hosted on Canadian infrastructure to maintain digital and domain sovereignty with Canadian data residency.

• SSL/TLS encryption for all connections
• DDoS protection and traffic filtering
• Regular security updates and patches
• Firewall protection and intrusion detection

🔑 Environment Variable Security

Master encryption keys and API credentials stored securely in environment variables.

• No secrets in code or version control
• SetEnv in .htaccess for production
• Separate dev/production configurations

📁 Upload Directory Protection

Special configuration prevents execution of malicious files in upload directories.

• .htaccess blocks PHP execution in uploads/
• File type validation and sanitization
• Size limits prevent storage abuse

🚨 Real-Time Threat Detection

Automated systems monitor for suspicious activity and respond immediately.

• Failed login tracking and analysis
• Unusual access pattern detection
• Automated IP lockouts for attacks
• Email alerts to administrators

📈 Security Analytics Dashboard

Admin dashboard provides real-time security metrics and insights.

• Failed login attempts (24-hour view)
• Active IP lockouts
• Permanent bans
• Virus scan statistics
• User activity monitoring