Security at Sakura Mail
Defense in depth, least privilege and honest claims—not promises of impossible “100% security.”
Current controls in this codebase
- Passwordless one-time-code authentication with hashed, expiring codes.
- Secure, HttpOnly, SameSite session cookies; server-side session revocation.
- Mandatory Cloudflare Turnstile validation and D1-backed rate limiting.
- Origin checks for state-changing requests and restrictive browser security headers.
- AES-256-GCM encryption for recipient addresses and HMAC-based deduplication.
- Workspace-scoped database and R2 access in application routes.
- Automatic suppression checks and signed one-click unsubscribe tokens.
- PayPal orders created and captured server-side; prices are never trusted from the browser.
- Audit logs that avoid raw recipient addresses.
- Admin analytics intentionally omit contact addresses and message bodies.
Operational controls required before launch
- Protect the GitHub repository and Cloudflare account with hardware-key MFA and least-privilege roles.
- Store secrets with Wrangler secrets; rotate them and never commit production credentials.
- Enable dependency scanning, branch protection, review, backups, alerting and an incident-response plan.
- Complete an independent security review and penetration test.
- Establish a vulnerability-reporting mailbox and response targets.
Report a concern
Send security reports to alexdevriesxing@gmail.com. Do not include live recipient data in a report.