Tijori
DocumentationArchitecture
Validated Security

Zero-Knowledge Architecture

Tijori is built on the principle that we should never have access to your secrets. All encryption and decryption happens exclusively in your browser. Project passcodes are verified server-side (passcodes are never stored), while secret values remain client-only.

The Core Philosophy
Even if our database were fully compromised, your secrets would remain encrypted and unusable. We store only salted hashes of your passcodes and strongly encrypted blobs of data, and verify project passcodes on the server without persisting them.

Security Stack

Modern cryptographic standards powered by the Web Crypto API.

AES-256-GCM
Symmetric Encryption
We use 256-bit keys with a 96-bit IV. This provides authenticated encryption, ensuring both the confidentiality and integrity of your secrets.
PBKDF2
Key Derivation
Keys are derived using 100,000 iterations of SHA-256 with random salts. This makes brute-force attacks on your passcodes extremely difficult.
SHA-256
Secure Hashing
We never store your passcodes. Instead, we store a secure SHA-256 hash to verify correctness during the unlock process.

Key Hierarchy

How your master key and project passcodes interact.

1
Master Key→ Derives Master CryptoKey
2
Project Passcode→ Encrypted by Master Key (for recovery)
3
Project CryptoKey→ Encrypts all Environment Variables

Threat Model

Protected Against

  • Eavesdropping (encryption in transit)
  • Server compromise (zero-knowledge design)
  • XSS attacks (strict CSP + React escaping)
  • CSRF (token-based auth)
  • Unauthorized data access (RBAC)

Out of Scope

  • Compromised user machine (keyloggers)
  • Physical access (shoulder surfing)
  • Weak or short passcodes (high-entropy required)
  • Forgotten master key (no recovery possible)

Response Headers

Security HeaderProduction Value
Content-Security-PolicyStrict allowlist
X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY
Referrer-Policystrict-origin-when-cross-origin

Reporting a Vulnerability

We take security seriously. If you've discovered a vulnerability, please report it responsibly through our security portal on GitHub.

Open Security Policy
Return to Dashboard