Data Security
How we protect your account and WhatsApp data.
Our approach
WaSphere is designed for self-hosted deployment. Security depends on your server setup, but we follow these practices in the application itself.
Account security
- Passwords are hashed with bcrypt — never stored in plain text
- Sessions use HTTP-only cookies to reduce theft risk
- API routes require authentication
- Each user only sees their own sessions and chats
WhatsApp session security
- Auth tokens are stored in encrypted session files on the server
- QR linking uses WhatsApp’s own Linked Device protocol — we never see your WhatsApp password
- Disconnect a session anytime from WhatsApp → Linked Devices on your phone
Data at rest
Messages, contacts, and media are stored as JSON and files on your server disk. Encrypt your server disk (e.g. AWS EBS encryption) and restrict SSH access for production deployments.
Data in transit
Always run WaSphere behind HTTPS in production (SSL certificate via nginx or AWS ALB). Never expose port 3000 directly to the public internet without TLS.
Recommendations for store owners
- Use a strong unique password for your WaSphere account
- Limit who has dashboard access
- Keep your server and Node.js updated
- Back up the sessions/ and storage/ folders regularly
- Set a strong SESSION_SECRET environment variable on the server
Incident response
If you suspect unauthorised access, change your password immediately, log out all WhatsApp sessions from your phone, and contact your server administrator.