Security

Notes about security at Ghost Inspector

Search our documentation:

Toggle Documentation Menu

Security

Security is our top priority and we want to be clear and upfront about how data is stored, used and accessed by Ghost Inspector. If you have questions about our security practices or policies, please contact us from our Support page. If you think you've found a vulnerability in any Ghost Inspector service, please contact us below.

Accessing Data in Ghost Inspector

Ghost Inspector uses best practices for Internet security. This helps ensure that your data is safe, secure, and available only to authorized users. Your data will be completely inaccessible to anyone else, unless you explicitly choose to share that data with the public.

Ghost Inspector enforces secure HTTPS for our entire website, including the public (unauthenticated) parts of the site. All communications with Ghost Inspector’s API are also protected with SSL. We also use HTTP Strict Transport Security to ensure your web browser never interacts with Ghost Inspector over insecure HTTP.

Ghost Inspector provides each user in your organization with a unique user name and password. These credentials must be entered to access your organization’s data. A private API key is also available within each account which must be used when accessing our API.

The Ghost Inspector recording extension allows you to record your actions and make them into a test. It only does this when you manually start recording a test; it’s not tracking your actions otherwise. Active recording is indicated by a green toolbar icon. The recording stops the second you finish (or cancel). Furthermore, the extension only sends the recorded data to our servers when you save the test. It does not send this data to our servers during the recording process — only when you explicitly save it.

The extension is only capable of making 3 API calls to our servers. The first is to authenticate your account. We do this with your e-mail address and password, but we do not store a copy of these locally. Instead, we store your API key for future authentication. The second API call is used to get a list of your current test suites. The last is to send your recording to our servers when you save it. All 3 of these are done over HTTPS.

Storing Data in Ghost Inspector

Ghost Inspector allows you to store browser actions in a test and execute them from our servers. This can include logging into websites with a set of credentials. We provide an option for making values private. This prevents the value from being displayed in your test results but does not encrypt the actual value in our database. All test information is stored as plain text in our database. While we take the utmost precautions to secure our servers and database (including the use of "data at rest" encryption on database disk volumes), if a database breach were to occur, test data would be accessible. For this reason, we insist that you never use live credentials or any type of sensitive data within a test — whether specified manually or recorded with our extension.

If your test requires an account login, dummy data and/or staging servers should be used. If you're logging into a production application with Ghost Inspector, you should use an account designated for Ghost Inspector that does not contain any sensitive data and can easily be disabled. You should never use your own private credentials.

Note: We do hash the password for your actual Ghost Inspector account the same way any secure service would. The discussion above applies specifically to your test data.

Contacting Ghost Inspector regarding security

If you've found a security vulnerability in a Ghost Inspector website or service, please send an email to our security team at security@ghostinspector.com. Your email will be reviewed promptly and we guarantee a personal response within 24 hours. We request that you not publicly disclose the issue until it has been addressed by us. We do attempt to reward responsible security reports that are sent to us. You can find more details about this on our Bug Bounty Program page.

If you choose to contact our security team, you can encrypt with PGP or the free alternative GnuPG. Our PGP key is listed below. This key is also registered with the MIT Public Key Server. You may use this key to encrypt your communications with Ghost Inspector.

Once you've imported our key, you can verify the signature of emails we send you by running gpg --verify.

User name: Ghost Inspector Security <security@ghostinspector.com>
Key ID: BAF4CFC2
Key fingerprint: E653 F48A 88CD 7C81 4F83  06AB CC5A 476A BAF4 CFC2
Expiration date: April 7, 2020

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org

mQINBFcGUz8BEAC26eL1oxPuQOsgrvigjC7RyUnOYPAjjna09hDQgXOATiHGbRTw
ZUkjHCG2lwSbEB+zc9YZtXnK9RfpIWjdFjkHvhhSwiCooFagfgYL0KHr4VrGjMQp
9ovuZE3aCuoBuZQxsSAN5/DIMU7SYIO1Xen3JvjC5E83Pp1fH0vdTFqgy19Pdl2W
wJcWLp7KPTlG/3c/qrJQ4uiD8PSfo6mj8Oe7TQCVtr0CcKorJZwK/yMX+mhJWh9P
n7o2b98f97D5wlWfnMPTUzu32+ZJg/pJyk/dbdzHvr3Rurm8NbIeWszJSHmwviIR
dDKfMhrbBD0L8f3xaNhH5D8pGQYNOp+Ztq5GSRueWmLXDPlCryyWj+711AJ3WJLh
AjZ73DF5Q+WR6qdJltIcggjUZleJNGFDQGQQE9SZ2wa52jnCkZQg/kb5v6gJw4UJ
2axdJ1XMdsYGnbvf+hY1xOZqS6TjhI7HPYt7w3n1aXn1WE3lY6Q3Gv35QowpMHPm
FdWGUQoZs1lNyqaK2MV0upZ4XhPp1mpPZ76nudvpG9Rpt445pP+G2VaaxqZXYbAk
1WTMsUVEKnSV/4LfTCiGEAlHZ1ss/URsNIN7pKEFUa/dJM1A5w7QaHmjwkhvKTnc
VoPfHRaju3bktDTQMbadWUWE9bu65RuIUOO3LwYDf8mhKA2zUh5TuMUnrQARAQAB
tDZHaG9zdCBJbnNwZWN0b3IgU2VjdXJpdHkgPHNlY3VyaXR5QGdob3N0aW5zcGVj
dG9yLmNvbT6JAj0EEwEKACcFAlcGUz8CGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgID
AQACHgECF4AACgkQzFpHarr0z8IGAg/+N3k/d52wZtoIlY0j8pJdmEyi33IoGOjh
yiunnVmwmi0ETinVtes10oWa2iunRhErOu9d3w7/xdhZn9l5UgsIzlxR/7jjwJet
wm7PbYre4Vc3RjaWiHCa2eMvIqJpAMXGb2tZMknfCMCKcOrSZrwfhpI12DgWe2Sh
GaYiysEsFk8D/WjhnG/RqIiuAIVoJsllqWwySbUhMlic2UfLHhz3E/g2MfgspCU1
HpQp25dRchwwS3kN65Lp5iyp2+ALJkBdQ9TLkStDxO1uJB6Ww/XcFQqwSXHNYDKS
JmZIYQVynQzVaV1UEyQkdWAQIBPc5RT42XyVARxZYEFnAOxV7V6kDrm9QiU5G6WG
SosDr5AKCc3cj/5AiPAuttFGUySa3Se9dt6K86KZPMyAvmrm7X9F15UbUrff9Fhr
4Z6DruLXuyrPGbfwX/0ZVhM1bEZHjcuEVrnqSuo0kB42RqqCu9+kfyhKpb65SZri
o8nae5PMArSt98hdPL2/HVK4jPt1Sz2uznoZHLK2ZO3oTKNHPMueyVzd3s31eNeM
oQVg2dn/zx3bUSOi4tvzQ7uL/VlFOe1Hmgj1jQeuNxk941XBP5UfqgTH3IdXB6BJ
MBcBtRpoDFrk+3vCeQoPtpGSJUWfdaaKNJV+XliUvWqV3jcUHHaOB3PaAPWMy92F
26IEHiSVf/G5Ag0EVwZTPwEQAMPJA8Od4QjZYd78xbJZKwFYLucDcff9lWZsHqux
8x9SiEV+4WKYNUlsFVTsMr8oGQW3oH0tC6mMheh9PYn6qjti2zYL7edsq/F3fvAT
YiSujzxPkczMk+bQewcCz5FS4nfooeev9S80lvKcLN4j+3wzg6jW/wCZhx+Mbw4w
yUUBnipYFXy9QsN7rvF+lbvZrMiaNphK6qWP18z2uaBbFDajB9O8tCYyb77Fc7xv
hIDiIb1KvqhYgLqu/GNGr8Kh1oz01+FwTNkbgRqB3YjXkvuM1MFUpAE5Jfxsrc4H
Eb649TUHEqAsNHv4PePIfV/60+ZerpXIZoYjICJrf9mYR5/WU8Y9BgHFhf3DwQED
fpaxnCmXai94bAQioQdR81ZDHsNo9nAKtanSkufUAmTiqvEb2mhqvVbL/kqTwa9W
PdWqnxvR2RprGsZYOSJlvdPmYWUQA0yxwqnppeyT2X/HNi+35k+WXcV41Fy0EqQh
fqEhvyexgJe/p4YTPcWMSk/m4W5zuwqZZ3iVUGNgOtcVK6NRwCPEEWRYakZQLDBu
nKEWW3242IQAOYO4um0ed49XsQCqAB/86B4RiCApNYkNeUfKaoiJOJRH2rzKjV5+
4nHw6xWIp+ZRaHhwjA4BzJy0+OPotBSHylpcwUOxEWs9VfGeovooDcbBvVCNqU7w
fYBnABEBAAGJAiUEGAEKAA8FAlcGUz8CGwwFCQeGH4AACgkQzFpHarr0z8IoXQ//
cxUCT9CSed78vl8xn8ITDC5asKrUNQfpb1dt++N2AEpUdlOoYNIYNV1nqIEb4IdA
ONXjlvY9hBY938LUaKONcM1aqnrBUh+uSbApZU9zXnGAJ1wq23DxTNFvxdSBeKzQ
OBbMQLrmkWgc5jeD/i4vTxTduMNDrdEb9Q2uR2y/w4/ZSR64TzWojufSaNBTJeIQ
oH3cHwTDYoTqZatgIkefi6EjelyMFVSK2pISmBbTNVmvIAJnHwjxsO+SJ/MQGFJm
4ChXA7SeLmYnIcvOaG0xpSiKYPk28wQfQwujaen3S3qsC6aT8FtaadjMyqrtQqe2
/A4DmQ+y7K0yvYqGi29rkoi37gnnE0WAuyvcPsfLMesPSHdElJ+D3PTevUiy2m4x
k7cJRkNJ+Z3Owa91maAkjPV+aHvRzpl1820fsTUpAmb223jiMzExChNj0JKYdpZZ
annallDxO9r2O4VzGRtcQri0FU7SS28uXUtiTo+NK3L4/02pLuC5n2SndqlDAEln
mBu1m8/UeJp9sjy0dgVurOT09BUAoATY4/Lc+jsjhbRLx0+P/SglM9xepRGs1+fs
Nh2hfvDB5JlQTmjtGZETW8PhZgSp4RtVuCSUOOO4bOX0zshSyLHNSzouw/DTe1Wn
LDrcbAvSmZ7G564X11RXsNR+oCSr7wgKuc0nB8Um9iM=
=HUXk
-----END PGP PUBLIC KEY BLOCK-----

Do you have concerns about security? Get in touch with us

We're always happy to answer any questions or concerns about security you might have. If you are a Ghost Inspector customer (or potential customer) and have further questions about security, just visit our Support page.