Xferity Capabilities Summary — Complete Feature Reference

Capabilities Summary

Xferity is a secure, self-hosted managed file transfer (MFT) platform.

Transfer protocols

Xferity supports:

SFTP — SSH host key verification required; password or SSH key auth; remote file stability checks
FTPS — Explicit TLS (FTPES); passive mode; SHA-256 server certificate fingerprint pinning
AS2 — Certificate-based B2B message exchange; MDN receipts (sync and async); inbound and outbound
Amazon S3 — IAM or static credential auth; upload and download
S3-compatible storage — MinIO, Cloudflare R2 via endpoint override
WebDAV — HTTP-based upload and download; PROPFIND listing; MKCOL collection creation; Basic auth over HTTPS
Azure Blob Storage — Object upload and download; shared-key, connection-string, or DefaultAzureCredential auth; custom endpoint support

Transfer execution

Flow-driven — every transfer defined as a named, versioned YAML flow
Durable job queue — PostgreSQL-backed jobs with SELECT FOR UPDATE SKIP LOCKED
Six-field cron scheduling — seconds-level cron expressions per flow
Interval-based polling — run-service --interval-seconds N
Exponential backoff retry — configurable max attempts, base delay, cap, jitter
SHA-256 content-hash idempotency — duplicate files skipped across retries and reruns
Distributed flow locking — prevents concurrent execution; stale-lock takeover
Dead-letter handling — files exhausting retries moved to configurable dead-letter directory
Resume support — xferity resume re-enters from last committed state

Cryptography

OpenPGP encryption — encrypt before upload
OpenPGP decryption — decrypt after download
OpenPGP signing — sign before upload (detached or inline)
OpenPGP signature verification — verify after download
Native Go provider (gopenpgp) — no external binary dependency
GnuPG provider (gnupg) — full GnuPG pipeline for enterprise key structures
Controlled auto-fallback (auto) — native first; GnuPG only for compat_enterprise_key_structure
Isolated GnuPG homes — one temporary home per operation; no shared keyring
X.509 certificate inventory — import, generate, store, bind, expiry tracking
AS2 certificate roles — signing, verification, encryption, decryption, HTTPS trust per partner
PGP Key inventory — import, store, capability verify, bind to partner roles
Partner Crypto Policy — unified view of all crypto roles per partner
Flow Crypto Requirements — derived from canonical FlowRoleSpecs(); governs validation + UI + preflight + runtime

Security

SSH host key verification — required for SFTP (no silent accept-all)
FTPS TLS fingerprint pinning — optional SHA-256 server cert fingerprint
AS2 per-partner certificate roles — 5 distinct role types
7 secrets providers — env, file, local AES-256 vault, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, literal
AES-256 local vault — secrets stored encrypted in Postgres; managed via UI
Hardened mode — startup failure on: plaintext secrets, insecure TLS, Postgres sslmode=disable, missing auth/TLS config
Strict YAML parsing — unknown config fields cause startup failure
6-domain posture engine — crypto, secrets, transport, auth, flow drift, platform
Posture scopes — platform, per-partner, per-flow
Active Findings and Suppressed Findings — suppression tracked, not erased
Hourly posture snapshots — Postgres-backed only
Posture trend charts and regression detection
Regression alerts — delivered via: Email, Slack, Webhook, Ntfy, Gotify, Pushover
Tamper-evident audit log — SHA-256 hash chain; verifiable with jq/awk
JSONL audit records — one structured event per file operation
Strict redaction mode — strips PII, bearer tokens, private key blocks from events
Local auth (bcrypt) with session cookies and CSRF protection
OIDC — any OpenID Connect-compatible IdP (Postgres-backed only)
Rate limiting — per-IP limits on UI and API endpoints
Air-gap ready — no mandatory outbound connections; local license validation

Operations

CLI commands:

xferity validate — strict YAML config validation
xferity diag [flow] — pre-flight endpoint, key, cert, filesystem checks
xferity run <flow> — manual one-shot execution
xferity run <flow> --dry-run — simulate without transferring
xferity run-all — run all configured flows
xferity run-service <flow> — long-running polling daemon
xferity resume [flow] — resume from last committed state
xferity logs <flow> — tail logs with level filter
xferity flow status — current status of all flows
xferity flow history <flow> — per-run outcomes and retry counts
xferity trace <filename> — full file lifecycle across all runs

Web UI (Postgres-backed):

Partner management (view, create, edit, test)
Certificate inventory (import, generate, bind, expiry)
PGP Key inventory (import, capabilities, bind)
Partner Crypto Policy dashboard
Security posture dashboard (Findings, Suppressed, trends)
Suppression management
Flow status and run history
Local secrets vault management
AS2 inbox and MDN tracking
License status

HTTP REST API:

Full API backing every UI operation
POST /api/flows/<flow>/run
GET /api/audit?file=<basename>
Health and metrics endpoints

Observability

Prometheus metrics at /metrics — authenticated admin access
- flow runs, queue depth, transfer bytes, retries, cert expiry, auth failures, notifications, AS2
Pre-built Prometheus alert rules — cert expiry, queue buildup, failure rate
Health endpoints:
- /health/worker — unauthenticated readiness
- /health — general (authenticated)
- /health/secrets — secret provider health (authenticated)
- /health/certificates — certificate expiry (authenticated)
Structured JSON logs — level, flow, run_id, correlation_id on every line
Crypto observability fields — provider, fallback_used, fallback_reason, cleanup_status
Audit sidecar index — fast file lifecycle lookup without full log scan
xferity trace <filename> — per-file full audit history

Integrations

Identity:

Local auth (bcrypt + session)
OIDC (any OpenID Connect IdP)

Notifications (6 channels):

Email (SMTP), Slack (incoming webhook), HTTP Webhook, Ntfy, Gotify, Pushover

Secrets backends (7 providers):

env:, file:, local-vault:, vault:, aws-sm:, azure-kv:, literal:

Transfer endpoints:

SFTP servers (any SSH2-compatible)
FTPS servers (explicit TLS, passive mode)
AS2 trading partners (any AS2-compatible, inbound + outbound)
S3-compatible object storage (AWS, MinIO, Cloudflare R2)
WebDAV servers (Nextcloud, ownCloud, SharePoint DAV endpoints, Box, Apache mod_dav, nginx-dav)
Azure Blob Storage endpoints (Azure Storage Accounts, Azure Government, Azurite)

Monitoring integrations:

Prometheus scraping
Log aggregation tools (Loki, Fluentd, Splunk, etc.)

Deployment options

Deployment	Description
Docker (single container)	Multi-stage Dockerfile; Alpine-based image; Compose file included
Docker Compose with PostgreSQL	Full feature set; persistent state
Native binary (Linux)	Single Go binary; no container runtime required
Native binary (Windows)	Windows-native; replaces WinSCP scripts or Windows-based MFT
Air-gapped	No mandatory outbound connections; local license validation

Runtime modes:

Mode	When to use
File-backed	Evaluation, small deployments; no external dependencies
Postgres-backed	Production; durable jobs, full UI, crypto inventory, posture snapshots

What Xferity does not do

Does not implement clustering or automatic HA
Does not implement a Kubernetes operator
Does not replace SIEM, network security, or identity governance
Does not guarantee compliance by itself
Does not provide legal non-repudiation by itself (audit log provides tamper-evidence, not external immutable anchor)

Where to go next

Goal	Page
Understand what Xferity is	Overview
Understand the runtime model	Architecture
Understand core terminology	Core Concepts
See transfer capabilities in detail	Capabilities: Transfers
See security capabilities in detail	Capabilities: Security
See crypto capabilities in detail	Capabilities: Cryptography
Start deploying	Getting Started
Configure a flow	Flow Reference
Compare with MOVEit	Xferity vs MOVEit