Trust & Security

How Torify is built, operated, and secured.

Infrastructure

Torify runs on Cloudflare Workers — a globally distributed edge compute platform. There are no origin servers to patch or expose. All traffic is proxied through Cloudflare's network, which provides DDoS protection and TLS termination by default.

Security Headers

Every response from Torify includes the following security headers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), interest-cohort=(), usb=(), fullscreen=(), midi=(), sync-xhr=()
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:

Authentication & Payment Security

Two authentication methods are supported:

x402 (per-call) — payments signed with EIP-712 typed data on Base L2 (Coinbase L2). Each payment is single-use and verified by the x402 facilitator before the request is processed. Wallet addresses are not stored by Torify.
API Key (subscription) — keys are validated server-side on every request. Keys are never logged or stored in plaintext.

Data Handling

Torify processes only the parameters necessary to fulfill each API request:

No PII is stored persistently
Request logs (path, timestamp, status) are retained for up to 30 days for debugging
External APIs (NTA, zipcloud) receive only the specific query parameter — no metadata about the caller. Kanji-to-kana runs fully offline.

See the Privacy Policy for full details.

Responsible Disclosure

We take security seriously. If you discover a vulnerability, please report it responsibly:

Email: contact@torify.dev

Subject line: "Security Vulnerability Report"

We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 14 days. We do not currently operate a formal bug bounty program, but we appreciate responsible disclosure.

RFC 9116 Security Contact

Machine-readable security contact information is available at /.well-known/security.txt per RFC 9116.