Security Is Core to Our Product
You trust Obfuscura with your source code. We take that responsibility seriously. Here is how we protect your code, your data, and your customers.
Multi-Layer Code Protection
Multi-Layer Bytecode Encoding
Source code is transformed through multiple encoding passes — bytecode compilation, control-flow obfuscation, and string encryption. Each layer adds protection that must be defeated independently.
Cryptographic Integrity Verification
Every encoded file includes a cryptographic signature verified at runtime. Tampered files are rejected before execution. Anti-debug detection prevents runtime inspection of decoded bytecode.
Zero Server Extensions
The runtime loader is pure PHP — no C extensions, no PECL modules, no kernel dependencies. This eliminates an entire class of server-level attack vectors that affect traditional encoders.
License-Bound Decryption
Encoded files are bound to specific license keys, domains, and IP addresses. Code cannot execute without a valid, active license that matches the deployment environment.
Infrastructure Security
HTTPS Everywhere
All traffic to Obfuscura is encrypted with TLS 1.2+ and HTTP Strict Transport Security (HSTS). API endpoints, dashboard access, and webhook communications are encrypted in transit without exception.
Security Headers
Every response includes Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers. Tested for A+ ratings on industry-standard scanning tools.
Data Encryption at Rest
Customer data and encoded file artifacts are stored with encryption at rest. Database credentials, API keys, and secrets are never stored in source code or logs.
Access Controls
Role-based access controls separate admin and customer permissions. All authentication uses bcrypt-hashed passwords, CSRF protection, and rate-limited login attempts.
Payment Processing & Data Handling
PCI-Compliant Payments
All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. Obfuscura never stores, processes, or transmits credit card numbers. Only Stripe customer IDs are retained.
Minimal Data Collection
We collect only what is necessary to operate the service: email, name, and billing identifiers. We do not sell, share, or monetize customer data. See our Privacy Policy for full details.
Source Code Handling
Uploaded source files are processed in isolated, ephemeral encoding sessions. Original source code is deleted immediately after encoding completes. We do not retain, log, or inspect your source code.
GDPR & Compliance
Obfuscura respects data subject rights under GDPR and CCPA. We offer data export, deletion on request, and a Data Processing Agreement (DPA) for enterprise customers. Contact privacy@obfuscura.com.
Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue in Obfuscura, please contact us at security@obfuscura.com.
Our Commitment
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 5 business days
- Keep you informed of remediation progress
- Credit researchers in our security advisories (with permission)
- Never pursue legal action against good-faith reporters
Scope
Reports are welcome for obfuscura.com, the license validation API, the encoding pipeline, the runtime loader, and any publicly accessible endpoints. Please do not test against other customers' accounts or data.
Our security contact information is also published at /.well-known/security.txt per RFC 9116.
Security Advisories
No Active Advisories
There are currently no known security vulnerabilities affecting Obfuscura. This page will be updated if any advisories are issued.