Ghost Inspector uses best practices for internet security. This helps ensure that your data is safe, secure, and available only to authorized users. Your data will be completely inaccessible to anyone else unless you explicitly choose to share that data with the public.
Ghost Inspector enforces secure HTTPS for our entire website, including the public (unauthenticated) parts of the site. All communications with Ghost Inspector’s API are also protected with SSL. We also use HTTP Strict Transport Security to ensure your web browser never interacts with Ghost Inspector over insecure HTTP.
Ghost Inspector provides each user in your organization with a unique username (e-mail address) and password. These credentials must be entered to access your organization’s data. A private API key is also available within each account which must be used when accessing our API. 2 factor authentication is available for all user accounts.
The Ghost Inspector recording extension allows you to record your actions and make them into a test. It only does this when you manually start recording a test; it’s not tracking your actions otherwise. Active recording is indicated by a green toolbar icon. The recording stops the second you finish (or cancel). Furthermore, the extension only sends the recorded data to our servers when you save the test. It does not send this data to our servers during the recording process — only when you explicitly save it.
The extension is only capable of making a small number of API calls to our servers. It can authenticate your account. We do this with your e-mail address and password, but we do not store a copy of these locally. Instead, we store your API key for future authentication. Other API calls are used to get a list of your current suites and tests. The last type of API call that the extension performs is sending your recording to our servers when you save it. All of these are done over HTTPS.
Ghost Inspector is hosted on Amazon Web Services which provides comprehensive security practices for our underlying infrastructure. We follow AWS recommended best practices for architecting in the cloud. See AWS Cloud Security Documentation for more information. Ghost Inspector runs services and stores data in the us-east-1 region located in Northern Virginia, USA. We do offer various global geolocations for test running. These geolocations are not used by default, only when explicitly enabled for your tests. Each geolocation corresponds with a specific AWS region and operates as a network proxy only; it does not run tests or host databases directly.
Ghost Inspector allows you to store browser actions in a test and execute them from our servers. This can include logging into websites with a set of credentials. We provide an option for making values private. This prevents the value from being displayed in your test results but does not encrypt the actual value in our database. All test information is stored as plain text in our database. While we take the utmost precautions to secure our servers and database (including the use of "data at rest" encryption on database disk volumes), if a database breach were to occur, test data would be accessible. For this reason, we insist that you never use live credentials or any type of sensitive data within a test — whether specified manually or recorded with our extension.
If your test requires an account login, dummy data and/or staging servers should be used. If you're logging into a production application with Ghost Inspector, you should use an account designated for Ghost Inspector that does not contain any sensitive data and can easily be disabled. You should never use your own private credentials.
Why do we take this stance? The nature of browser testing makes encryption of values very challenging to uphold in all situations. We need access to plain text values to assign them into inputs, like a password field in a login form. This means we can't simply hash passwords to some irreversible value the way you typically do when storing passwords. Even when encrypting values in our database, we still need to send them in plaintext to the browser via automation APIs. There's a chance the value could be stored in a log file by the test runner or another service. If assigned improperly, the value could show up in a video or appear in a screenshot. There are many opportunities for a value to be exposed, some of which are out of our control and are instead based on the design of the test itself. For that reason — and because Ghost Inspector is designed as a testing product — our stance is simply that sensitive credentials should not be stored with us.
We understand that this may disqualify some companies from leveraging our service, but we feel that it's the right approach for us considering the risks involved in allowing sensitive information to be stored and used in the way that browser testing requires.
Ghost Inspector employees will only access your account data when one of the following scenario occurs:
We're always happy to answer any questions or concerns about security you might have. If you are a Ghost Inspector customer (or potential customer) and have further questions about security, just visit our Support page.
If you've found a security vulnerability in a Ghost Inspector website or service, please send an email to our security team at email@example.com. Your email will be promptly reviewed and we will respond. We request that you not publicly disclose the issue until it has been addressed by us. We do attempt to reward responsible security reports that are sent to us. You can find more details about this on our Bug Bounty Program page.
If you choose to contact our security team, you can encrypt with PGP or the free alternative GnuPG. Our PGP key is listed below. This key is also registered with the MIT Public Key Server. You may use this key to encrypt your communications with Ghost Inspector.
Once you've imported our key, you can verify the signature of emails we send you by running
User name: Ghost Inspector Security <firstname.lastname@example.org> Key ID: BAF4CFC2 Key fingerprint: E653 F48A 88CD 7C81 4F83 06AB CC5A 476A BAF4 CFC2 Expiration date: April 7, 2020 -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: GPGTools - https://gpgtools.org mQINBFcGUz8BEAC26eL1oxPuQOsgrvigjC7RyUnOYPAjjna09hDQgXOATiHGbRTw ZUkjHCG2lwSbEB+zc9YZtXnK9RfpIWjdFjkHvhhSwiCooFagfgYL0KHr4VrGjMQp 9ovuZE3aCuoBuZQxsSAN5/DIMU7SYIO1Xen3JvjC5E83Pp1fH0vdTFqgy19Pdl2W wJcWLp7KPTlG/3c/qrJQ4uiD8PSfo6mj8Oe7TQCVtr0CcKorJZwK/yMX+mhJWh9P n7o2b98f97D5wlWfnMPTUzu32+ZJg/pJyk/dbdzHvr3Rurm8NbIeWszJSHmwviIR dDKfMhrbBD0L8f3xaNhH5D8pGQYNOp+Ztq5GSRueWmLXDPlCryyWj+711AJ3WJLh AjZ73DF5Q+WR6qdJltIcggjUZleJNGFDQGQQE9SZ2wa52jnCkZQg/kb5v6gJw4UJ 2axdJ1XMdsYGnbvf+hY1xOZqS6TjhI7HPYt7w3n1aXn1WE3lY6Q3Gv35QowpMHPm FdWGUQoZs1lNyqaK2MV0upZ4XhPp1mpPZ76nudvpG9Rpt445pP+G2VaaxqZXYbAk 1WTMsUVEKnSV/4LfTCiGEAlHZ1ss/URsNIN7pKEFUa/dJM1A5w7QaHmjwkhvKTnc VoPfHRaju3bktDTQMbadWUWE9bu65RuIUOO3LwYDf8mhKA2zUh5TuMUnrQARAQAB tDZHaG9zdCBJbnNwZWN0b3IgU2VjdXJpdHkgPHNlY3VyaXR5QGdob3N0aW5zcGVj dG9yLmNvbT6JAj0EEwEKACcFAlcGUz8CGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgID AQACHgECF4AACgkQzFpHarr0z8IGAg/+N3k/d52wZtoIlY0j8pJdmEyi33IoGOjh yiunnVmwmi0ETinVtes10oWa2iunRhErOu9d3w7/xdhZn9l5UgsIzlxR/7jjwJet wm7PbYre4Vc3RjaWiHCa2eMvIqJpAMXGb2tZMknfCMCKcOrSZrwfhpI12DgWe2Sh GaYiysEsFk8D/WjhnG/RqIiuAIVoJsllqWwySbUhMlic2UfLHhz3E/g2MfgspCU1 HpQp25dRchwwS3kN65Lp5iyp2+ALJkBdQ9TLkStDxO1uJB6Ww/XcFQqwSXHNYDKS JmZIYQVynQzVaV1UEyQkdWAQIBPc5RT42XyVARxZYEFnAOxV7V6kDrm9QiU5G6WG SosDr5AKCc3cj/5AiPAuttFGUySa3Se9dt6K86KZPMyAvmrm7X9F15UbUrff9Fhr 4Z6DruLXuyrPGbfwX/0ZVhM1bEZHjcuEVrnqSuo0kB42RqqCu9+kfyhKpb65SZri o8nae5PMArSt98hdPL2/HVK4jPt1Sz2uznoZHLK2ZO3oTKNHPMueyVzd3s31eNeM oQVg2dn/zx3bUSOi4tvzQ7uL/VlFOe1Hmgj1jQeuNxk941XBP5UfqgTH3IdXB6BJ MBcBtRpoDFrk+3vCeQoPtpGSJUWfdaaKNJV+XliUvWqV3jcUHHaOB3PaAPWMy92F 26IEHiSVf/G5Ag0EVwZTPwEQAMPJA8Od4QjZYd78xbJZKwFYLucDcff9lWZsHqux 8x9SiEV+4WKYNUlsFVTsMr8oGQW3oH0tC6mMheh9PYn6qjti2zYL7edsq/F3fvAT YiSujzxPkczMk+bQewcCz5FS4nfooeev9S80lvKcLN4j+3wzg6jW/wCZhx+Mbw4w yUUBnipYFXy9QsN7rvF+lbvZrMiaNphK6qWP18z2uaBbFDajB9O8tCYyb77Fc7xv hIDiIb1KvqhYgLqu/GNGr8Kh1oz01+FwTNkbgRqB3YjXkvuM1MFUpAE5Jfxsrc4H Eb649TUHEqAsNHv4PePIfV/60+ZerpXIZoYjICJrf9mYR5/WU8Y9BgHFhf3DwQED fpaxnCmXai94bAQioQdR81ZDHsNo9nAKtanSkufUAmTiqvEb2mhqvVbL/kqTwa9W PdWqnxvR2RprGsZYOSJlvdPmYWUQA0yxwqnppeyT2X/HNi+35k+WXcV41Fy0EqQh fqEhvyexgJe/p4YTPcWMSk/m4W5zuwqZZ3iVUGNgOtcVK6NRwCPEEWRYakZQLDBu nKEWW3242IQAOYO4um0ed49XsQCqAB/86B4RiCApNYkNeUfKaoiJOJRH2rzKjV5+ 4nHw6xWIp+ZRaHhwjA4BzJy0+OPotBSHylpcwUOxEWs9VfGeovooDcbBvVCNqU7w fYBnABEBAAGJAiUEGAEKAA8FAlcGUz8CGwwFCQeGH4AACgkQzFpHarr0z8IoXQ// cxUCT9CSed78vl8xn8ITDC5asKrUNQfpb1dt++N2AEpUdlOoYNIYNV1nqIEb4IdA ONXjlvY9hBY938LUaKONcM1aqnrBUh+uSbApZU9zXnGAJ1wq23DxTNFvxdSBeKzQ OBbMQLrmkWgc5jeD/i4vTxTduMNDrdEb9Q2uR2y/w4/ZSR64TzWojufSaNBTJeIQ oH3cHwTDYoTqZatgIkefi6EjelyMFVSK2pISmBbTNVmvIAJnHwjxsO+SJ/MQGFJm 4ChXA7SeLmYnIcvOaG0xpSiKYPk28wQfQwujaen3S3qsC6aT8FtaadjMyqrtQqe2 /A4DmQ+y7K0yvYqGi29rkoi37gnnE0WAuyvcPsfLMesPSHdElJ+D3PTevUiy2m4x k7cJRkNJ+Z3Owa91maAkjPV+aHvRzpl1820fsTUpAmb223jiMzExChNj0JKYdpZZ annallDxO9r2O4VzGRtcQri0FU7SS28uXUtiTo+NK3L4/02pLuC5n2SndqlDAEln mBu1m8/UeJp9sjy0dgVurOT09BUAoATY4/Lc+jsjhbRLx0+P/SglM9xepRGs1+fs Nh2hfvDB5JlQTmjtGZETW8PhZgSp4RtVuCSUOOO4bOX0zshSyLHNSzouw/DTe1Wn LDrcbAvSmZ7G564X11RXsNR+oCSr7wgKuc0nB8Um9iM= =HUXk -----END PGP PUBLIC KEY BLOCK-----