Security Policy
This document describes the security practices, responsible disclosure process, and data handling policy for diag.md — a network diagnostic tool operated by iHost.md.
Last updated: March 2026
Responsible Disclosure
We take security seriously. If you discover a vulnerability in diag.md or any iHost.md service, we encourage responsible disclosure and will work with you to resolve it promptly.
- Email your findings to security@ihost.md with a clear description of the issue
- Include steps to reproduce, potential impact, and any proof-of-concept if applicable
- We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days
- Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
- We do not operate a bug bounty program at this time, but we will publicly acknowledge responsible disclosures if desired
Scope
The following assets are in scope for security research:
✓ diag.md
✓ ihost.md
The following are explicitly out of scope:
✗ Third-party services (proxycheck.io, Google Fonts)
✗ Social engineering attacks
✗ Physical security
✗ Denial of service attacks
Please do not perform automated scanning, fuzzing, or load testing against production systems without prior written permission.
Data Collected
diag.md collects the following data only when a user explicitly clicks "Generate Report":
- Public IP address and GeoIP metadata (country, city, ISP, ASN, coordinates)
- VPN/proxy/TOR detection results from proxycheck.io
- Browser environment signals (User-Agent, screen resolution, language, platform, WebGL)
- Bot/headless browser detection signals — computed locally, result only
- Speed test results (download Mbps, upload Mbps, latency ms) — if test was run
- DNS blacklist check results for the detected IP
- Browser fingerprint hash (SHA-256, used only for rate-limiting — not stored in the report)
No data is collected passively. Visiting the page without clicking "Generate Report" stores nothing server-side.
Data Storage & Retention
- Reports are stored as JSON files on iHost.md infrastructure in Moldova
- Reports are accessible only via their unique ID — there is no index or search of all reports
- Rate-limiting data (fingerprint hashes, IP timestamps) is stored in
/tmp/ and expires automatically after 60 minutes
- No reports are shared with third parties except as necessary to operate the service (e.g. proxycheck.io receives the IP for lookup)
- Reports do not expire automatically by default. Contact support@ihost.md to request deletion of a specific report by ID
No Advertising or Tracking
- No advertising of any kind is displayed on diag.md
- No third-party analytics, tracking pixels, or cookies are used
- Google Fonts are loaded externally — if this is a concern, fonts can be self-hosted
- No user accounts, sessions, or persistent identifiers are created
Transport & Infrastructure Security
- All traffic is served over HTTPS with a valid TLS certificate
- Security headers are set:
X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy
- Sensitive directories (
/reports/, /tmp/) are blocked from direct HTTP access via .htaccess
- Configuration files (
config.php) are not accessible via HTTP
- Rate limiting is enforced server-side per browser fingerprint (1 report / 60 min) and per IP (30 reports / hour)
- No database is used — reports are flat JSON files, eliminating SQL injection risk