SFTP host verification
Verify SSH servers with known_hosts or SHA-256 host fingerprints. Xferity does not silently accept unknown host keys.
Trust, cryptography, secrets, hardened mode, posture, auditability
Security controls built for real file transfer risk
Verify partner endpoints, protect payloads, control secrets, enforce safe configuration, and produce audit-ready evidence without outsourcing trust to scripts or shared SaaS runtime.
Transport trust
Verify the endpoint you are talking to
Xferity keeps trust explicit for each protocol instead of burying it in client defaults, manual runbooks, or one-off script flags.
FTPS TLS validation
Use explicit TLS, passive mode, standard CA validation, and optional SHA-256 certificate fingerprint pinning when CA trust alone is not enough.
AS2 certificate roles
Separate signing, verification, encryption, decryption, and HTTPS transport trust per partner instead of collapsing AS2 trust into one certificate.
Scoped object-storage trust
Apply TLS, credential scoping, and endpoint control for Amazon S3, S3-compatible storage, and Azure Blob workflows.
WebDAV over HTTPS
Run WebDAV exchange through HTTPS with explicit credential handling and transport validation for document and collaboration platforms.
Partner-specific trust boundaries
Keep trust anchored to the actual endpoint, certificate, key, bucket, or collection each partner uses instead of relying on global defaults.
Payload protection
Apply cryptography inside the workflow, not beside it
Encrypt, decrypt, sign, verify, manage certificate roles, and control enterprise key handling without splitting cryptography into disconnected tooling.
OpenPGP encryption and decryption
Encrypt before upload and decrypt after download as part of the flow, using native gopenpgp or GnuPG execution where required.
OpenPGP signing and verification
Sign outbound payloads and verify inbound signatures with detached or inline signature support.
Controlled GnuPG fallback
Use auto mode only for named compatibility cases. Fallback is controlled, explicit, and not treated as a generic retry path.
Isolated GnuPG homes
Run each GnuPG operation in its own temporary home to avoid shared keyring state, agent side effects, and cross-flow contamination.
Certificate inventory
Import, generate, store, bind, and track X.509 certificates with expiry awareness and role validation.
PGP key inventory and Partner Crypto Policy
Track PGP key capabilities, bind keys to the right partner roles, and review crypto posture from a single operator view.
Security controls
Turn good security practice into operating discipline
Use runtime secret resolution, hardened-mode startup enforcement, strict validation, and authenticated operator surfaces to reduce configuration drift and unsafe defaults.
7 runtime secrets providers
Resolve credentials from env, file, local-vault, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or literal references instead of embedding routine secrets in config.
AES-256 local vault
Store local-vault secrets encrypted at rest in Postgres-backed deployments and manage them without exposing plaintext back to operators.
Hardened mode startup enforcement
Fail at startup when plaintext secrets, insecure TLS, weak transport settings, or unsafe auth configuration are present.
Strict YAML validation
Reject unknown fields and silent misconfiguration at startup so security settings do not drift quietly into production.
Auth, sessions, and rate limiting
Use bcrypt-backed local auth, session cookies, CSRF protection, OIDC browser login, and configurable per-IP rate limiting for operator surfaces.
UI and API security posture
Apply role-aware access control to the Postgres-backed Web UI and REST API, with hardened mode able to block startup if required auth and TLS settings are missing.
Security posture domains
| Domain | What Xferity evaluates |
|---|---|
| Crypto | Certificate expiry, PGP key bindings, AS2 certificate role coverage |
| Secrets | Plaintext credentials, missing secret references, unsafe secret handling |
| Transport | SFTP host key status, FTPS TLS settings, AS2 TLS settings |
| Auth | UI authentication enforcement, rate limiting, access posture |
| Flow drift | Scheduled flows that are no longer executing as expected |
| Platform | Runtime health and required backend/security features |
Audit and evidence
- Structured JSONL audit records for file transfers, flow lifecycle, authentication events, and AS2 activity
- SHA-256 hash-chain tamper evidence so deletion, insertion, or modification is detectable
- Sidecar audit index for fast file and flow queries
- xferity trace support for file-level lifecycle investigation
- Strict redaction support for sensitive values and metadata
- Retention controls for long-term audit storage and pruning
Review Xferity security against your actual requirements
Book a technical security walkthrough focused on trust models, cryptography, secrets handling, hardened mode, audit evidence, and the deployment boundaries your team needs.