🔐
Argon2id Hashing
All passwords and SMTP credentials use argon2id with tuned memory and iteration parameters.
🔒
TLS Encryption
HTTPS everywhere with TLS 1.2+. SMTP supports STARTTLS for encrypted email capture.
🛡
Data Isolation
Strict per-account isolation at the database level with foreign key constraints.
Authentication & Credentials
- User passwords hashed with argon2id — the Password Hashing Competition winner.
- SMTP inbox credentials use separate argon2 hashes, isolated per inbox.
- Session tokens are 256-bit cryptographically random with 30-day expiry.
- API keys stored as SHA-256 hashes — raw key shown once on creation.
Data Retention & Deletion
- Emails retained per your plan's policy (7–90 days).
- Expired emails and attachments are permanently purged by automated jobs.
- Account deletion removes all data: inboxes, emails, sessions, and API keys.
Infrastructure
PostgreSQL 16 — parameterized queries, connection pooling
Redis 7 — session cache, no persistent sensitive data
Rate limiting — request throttling with DDoS protection
Audit logging — immutable, with actor identity + IP + timestamp
Redis 7 — session cache, no persistent sensitive data
Rate limiting — request throttling with DDoS protection
Audit logging — immutable, with actor identity + IP + timestamp
Responsible Disclosure
If you discover a security vulnerability, please report it to security@mailhog.site. We acknowledge reports within 48 hours and do not pursue legal action against researchers following responsible disclosure practices.