FTP/FTPS/SFTP Manager logo for external server connections FTP/FTPS/SFTP Manager

Security model · Scope · Transparency

Security in the FTP/FTPS/SFTP Manager

This page shows the implemented security measures and operating rules of the application.

Clear technical boundary

The online version manages external FTP, FTPS, and SFTP connections only. There is no public local file manager for files on this web server and no public LocalConnector access.

How credentials are handled

Connection data is stored server-side so recurring server access can be reused. Credentials are stored encrypted and are not shown in plain text in the admin area. To establish a connection, they must be technically processed at runtime.

Operations

File actions run exclusively on the connected target servers. The application itself does not expose a public local file manager.

Security overview

A concise summary of how security and operations are implemented:

  • Connection data is stored in the database and encrypted at rest.
  • Decryption happens only when a connection must be established technically.
  • Passwords are not shown in plain text in the admin area; at runtime, the application processes credentials only to establish the technical connection.
  • Files from connected servers are not exposed as a public local file store.

Technical and organizational measures

These safeguards are active and part of daily operation.

  • HTTPS/TLS protects the connection between browser and application; FTP without TLS remains technically unencrypted as a target protocol.
  • User account passwords are stored with password_hash; connection secrets are stored encrypted with AES-256-GCM.
  • Sessions use HttpOnly, Secure, and SameSite=Lax; CSRF protection, login protection, and limited session lifetimes are also in place.
  • Email login codes and trusted browsers reduce unauthorized logins; TOTP and backup codes are prepared in the data model.
  • Roles separate regular users and admins. Admins manage accounts, but stored FTP/SFTP passwords are not shown to them in plain text.
  • Logs are used for security, troubleshooting, and abuse prevention. Passwords and private keys must not be logged; retention is limited in the admin area.

Security reports

Security-related findings can be reported at any time through the support contact.