The safe place to do
serious work with AI
Hash-chain audit logs, content-aware upload safety, explicit per-page permissions — real security primitives, engineered in. Every claim on this page maps to source you can inspect.
An audit log you can actually verify
Most audit logs are write-only. Ours is a hash chain re-verified on a schedule, and re-verified again before any batch is emitted to an external SIEM.
Chained at write time
Every security event carries the SHA-256 hash of the prior event. Breaking a record in the middle breaks every record after it — tampering is self-evident.
Re-verified continuously
A background job re-walks the chain on a schedule and alerts on any mismatch. This isn't a one-time integrity check at write — it's ongoing.
Halts external delivery on break
Before any batch ships to an external SIEM, the chain is re-verified. If preflight fails, the batch never leaves — nothing compromised reaches downstream tooling dressed as authentic.
Events covered: authentication, authorization, data access, admin actions, and security signals (rate limits, anomalies, brute-force detection).
Permissions that can't cascade by accident
Most document products inherit permissions from parent folders. One wrong drag-and-drop and a personal folder is suddenly visible to the whole team. PageSpace doesn't inherit.
What that means
Grant access to a folder and the folder page is shared. Every page inside still has its own grant list. No page becomes visible because of where it lives in the tree.
Why it matters
The "I shared one subfolder and accidentally gave away the tree" class of incident can't happen here. Every shared page was shared on purpose.
Drive owners and admins still have full drive access by role — this is no-silent-cascades for end users, not deny-by-default for operators.
The boring checklist, done seriously
The class of bugs that ship as CVEs in open-source workspace tools — uploaded executables renamed to .txt, SSRF to cloud metadata, path-traversal to read the server filesystem. We did the unglamorous work.
Uploads classified by content, not extension
The Magika ML classifier inspects the bytes. Windows PE, macOS Mach-O, Linux ELF, Android DEX — all rejected even when renamed to .txt. Same for raw HTML, SVG, and JavaScript, the classic stored-XSS vectors.
SSRF protection that defeats DNS rebinding
Server-side URL fetches are checked against loopback, RFC 1918 private ranges, link-local, and cloud metadata endpoints. Every DNS-resolved IP is validated, not just the first — an attacker rebinding a hostname after the initial check still gets rejected.
Path-traversal defense across encodings
Uploads and user-supplied paths are rejected for ../, URL-encoded variants (%2e%2e, double-encoded), null-byte injection, and symlink escape. Real paths are verified, not string-compared.
Authentication
Passwordless by design: passkeys and magic links, with Google and Apple OAuth. There's no password to phish, guess, or leak.
Passwordless Email
Secure magic link authentication with single-use tokens and rate-limited delivery.
- Single-use tokens — consumed on open
- Short-lived, timing-safe verification
- Per-email and per-IP rate limiting
OAuth (Google & Apple)
Industry-standard OAuth flows with signed state and strict redirect validation. Google uses RFC 7636 PKCE; Apple relies on ID-token signature validation.
- Signed state parameters on every flow
- Authorization code flow only — no implicit grant
- Google: RFC 7636 PKCE — intercepted codes alone are useless
- Apple: ID-token signature validation on every callback
CSRF Protection
All state-changing requests require CSRF validation with HMAC-signed tokens and timing-safe comparison. Even login forms have CSRF protection via a separate pre-login system.
Opaque Session Tokens
PageSpace uses opaque session tokens with hash-only storage. Tokens carry no embedded claims — everything is validated server-side on every request.
Hash-Only Storage
We never store the session token itself — only its SHA3-256 hash. A compromised database snapshot does not yield usable tokens.
- High-entropy random tokens
- SHA3-256 one-way hashing
- Server-side validation on every request
Instant Revocation
Sessions can be revoked immediately — no waiting for expiry. Administrative actions invalidate every outstanding session for a user atomically.
- Revoke individual sessions or all sessions
- Atomic log-out-everywhere for credential reset and suspension
- Timing-safe comparisons prevent leaking info via response time
Per-Event WebSocket Authorization
Real-time collaboration doesn't mean relaxed security. Every write operation is authorized in real-time.
Write Authorization
Document updates, file uploads, and task changes are re-authorized on every event — not just at connection time.
Short-Lived Tokens
Socket tokens are short-lived and single-purpose, limiting exposure if intercepted. Connection requires fresh authentication.
Signed Broadcasts
Inter-service communication is signed and replay-protected so messages cannot be forged or re-sent by an intermediary.
Distributed Rate Limiting
Protection against brute force attacks with rate limiting that persists across restarts and IP changes.
- Login protection
Per-IP and per-email sliding-window limits throttle credential stuffing
- Account lockout
Accounts facing repeated failed authentication are temporarily locked, regardless of source IP
- Signup throttling
Per-IP limits on signup prevent automated account creation
Why Database-Backed Lockout?
Lockout state isn't lost when servers restart
Attackers can't bypass by changing IP addresses
Lockout expires on its own — no manual intervention needed
Compare our security to anything else you're evaluating
Our docs point straight at the code that implements every claim. Read them, grep them, hand them to your security reviewer.