SecurityOS is a privacy- and security-first web operating system β a hardened fork of daedalOS (Next.js + TypeScript). It runs entirely in the browser and is built for students, researchers, and security practitioners who want an anonymous, amnesic, self-contained workspace.
π os.securityops.co
- π§
Tor Browser (anonymity-only) β all web access goes through the Tor
Browser: a server-side privacy proxy routes every request over Tor (SOCKS5h,
so
.onionresolves and clear-net hostnames never leak), with tabs and a NoScript-style 3-state JS control (Off / first-party-only / All). There is no clearnet browser. The proxy is SSRF-guarded, fails closed if Tor is misconfigured, pins the SSRF-validated IP, forwards only an allowlist of response headers, and logs nothing. See Tor Browser. - π¦ Memory-safe proxy sidecar β the untrusted fetch + HTML-rewriting path is also
available as a Rust sidecar (Tor SOCKS5h, DNS-pinned SSRF guard,
lol_htmlstreaming rewriter); the OS delegates to it and transparently falls back to the built-in proxy. - π Vaptvupt encryption (WebAssembly) β the real Vaptvupt engine compiled to WASM:
- Password mode: PBKDF2-SHA256 β AES-256-CTR + HMAC-SHA256 (encrypt-then-MAC) β
.zupt. - Post-quantum public-key mode: ML-KEM-768 + X25519 hybrid β generate a keypair, encrypt to a public key, decrypt with the private key.
- Exposed in the Terminal (
vaptvupt/encrypt/decrypt) and the file-manager right-click Encrypt/Decrypt menu.
- Password mode: PBKDF2-SHA256 β AES-256-CTR + HMAC-SHA256 (encrypt-then-MAC) β
- ποΈ Secure delete β right-click any file/folder β overwrite with random (3-pass) or zeros, then delete.
- π§ Amnesia β containers run read-only with RAM-only
tmpfs(no volumes, no logs); the session is overwritten with CSPRNG randomness and wiped on shutdown. - π» Linux VM β a 32-bit x86 emulator (v86, WASM) that boots lightweight live ISOs (Alpine, Tiny Core, SliTaz, β¦) amnesically, routable through Tor.
- π§
TAILS β a launcher with CI-verified (OpenPGP signature + SHA-256) downloads,
auto-updated by the
tails-isoGitHub/Forgejo action. - π¬ Matrix (end-to-end-encrypted chat) β a full Matrix client
(matrix-js-sdk + Rust crypto/WASM) where every request is tunneled through the
same-origin Tor proxy to
matrix.securityops.co. It decrypts E2EE rooms, searches the user directory, browses/joins federated rooms, handles invites, and renders image/file attachments. It pre-warms the Tor circuit on open so the first login is fast (cold Tor otherwise makes the first request take 15β40s). Amnesic β keys live in memory only. See Matrix. - π₯ SecChat β first-party end-to-end-encrypted video chat
(
chat.securityops.co), embedded in-OS. - π» Radio β listen to internet radio worldwide (radio-browser API). Exact country filtering (by ISO country code, not a fuzzy name match), genre filter, and only working HTTPS stations β offline and non-playable (http-only) ones are filtered out β plus favorites and resilient mirror failover.
- π Cloudmacs β a full Emacs (Spacemacs) in the browser (Gotty serving a terminal Emacs), with telega (Telegram β TDLib built into the image), whatsappel (WhatsApp), org-mode, and eww. Appears in Open with for text/code files.
- πΊ SecTube β the SecurityOps video frontend, embedded for playback.
- π VaptVupt file share β the first-party SecurityOps encrypted file share,
embedded in-OS over Tor (its
.onionserved through the privacy proxy in an opaque-origin sandbox). Upload and download files in the window (uploads up to 256 MiB; downloads stream back in full); a toolbar offers Reload and Open in Tor Browser for script-heavy actions. Real-time/WebSocket features aren't available through the proxy by design. - π CryptPad Β· π’ WhatsApp Β· Telegram β embedded INSIDE the OS, over Tor. These
run through the privacy proxy (fetched server-side over Tor, anti-framing headers
stripped, realtime WebSocket tunneled via
/api/ws, storage + an amnesic in-memory IndexedDB shim injected), so they load in-OS and even on networks that block them β your IP is never exposed. The embeds request the proxy with&app=1("embedded-app mode"), which forces the full NodeclientShimpath so the runtime shim is always present β even in the production deployment that delegates ordinary browsing to the memory-safe Rust sidecar (the sidecar injects no shim, which is why the embeds previously loaded blank in prod). They're heavy multi-origin SPAs, so the embed is still best-effort (no Service Workers or persistent storage on an opaque origin); each app's toolbar has a Window button that opens the full official client (run SecurityOS in the Tor Browser to keep that over Tor). Session stays a launcher (no web client; it's onion-routed once installed). - βΊοΈ Screen Capture β screen recording + screenshots via
getDisplayMedia(captures everything on screen, incl. cross-origin app iframes): countdown, microphone + system audio, quality/format/codec presets, and a max-duration. A webcam picture-in-picture overlay offers selectable effect themes β Matrix (digital rain), Grayscale, Sepia, Neon/Invert, Blur, and a best-effort Background blur. - π§© Desktop Widgets β Rainmeter-style, draggable, toggleable, and persisted: Clock, Weather (searchable city, open-meteo), a JS-heap Memory gauge, RSS News (fetched over Tor), a month-grid Calendar, and a Post-it sticky note. A Clock and the News feed are shown on first run.
- π Lock screen β a frosted overlay with a large clock over the blurred wallpaper, an optional PIN (salted SHA-256), idle auto-lock, and it stays locked across reload; a Lock button lives in the Start menu.
- π Master volume β the taskbar volume now controls all web-OS sound β native audio/video plus WebAudio apps like Webamp and the v86 emulator.
- π΅ Music + Webamp β bundled free/classical music and the Webamp (Winamp-style) player, plus lots of wallpapers (including animated ones).
- πͺ Undercover mode β a Windows-11-like appearance (folders/wallpaper/theming) for blending in.
- π Resilience / recovery β if corrupted saved data from an old version would otherwise stop the desktop from starting, SecurityOS shows a recovery screen (Try again / Reset) instead of reloading forever.
- π§° Security Tools β an offline suite (hashing, encoding, entropy, UUID, β¦).
- β¨οΈ Expanded terminal β UNIX-style commands plus
curl/wgetover Tor,du,df,tree,stat, and more. - π Start-menu search β open the Start menu and start typing to find any app or file and launch it (results dropdown with icons; Enter opens the top hit). Apps are matched by name from the process directory; documents come from the file index.
- πΌοΈ Custom wallpaper β set a background from an image URL or a proxied link; adjustable fit. π Paste any file/image from the clipboard straight onto the Desktop.
SecurityOS browses the web through one browser β the Tor Browser, anonymity first. (There is intentionally no clearnet browser: all web access goes over Tor.)
- Every request is routed through Tor (SOCKS5h, including DNS) via a
server-side privacy proxy, so
.onionresolves and your real IP is never revealed. Clear-net sites load over Tor too; hostnames never leak to a local resolver. - Tabbed β per-tab history; Ctrl/β- or middle-click a link to open it in a
new tab;
οΌfor a blank tab. Tab labels show the page title. - NoScript-style 3-state JavaScript control (toolbar): Off β Safest,
all JS blocked +
script-src 'none'; NoScript β first-party scripts only, third-party stripped server-side by the LibreJS filter; All β every script runs. Off by default. - Bookmarks point at the SecurityOps hidden services.
- The proxy is SSRF-guarded, fails closed if Tor is misconfigured, pins the SSRF-validated IP (no DNS rebinding), forwards only an allowlist of response headers, rewrites links/forms to stay in-app, and logs nothing.
What loads, and what won't. The proxy renders pages server-side in an opaque sandbox, so it's deliberately not a full browser: onions and simple, mostly-static sites render cleanly, but many arbitrary sites won't β they block Tor exit IPs (Cloudflare challenges), require JavaScript + login, or break under URL rewriting. That's the inherent ceiling of a privacy proxy, not a bug. For genuinely full, anonymous browsing of arbitrary sites, use the Linux VM via Tor Control.
SecurityOS ships a full end-to-end-encrypted Matrix client (matrix-js-sdk with
the Rust crypto/WASM stack), wired so that every request is tunneled through
the same-origin Tor proxy to the matrix.securityops.co homeserver β nothing
talks to Matrix off-Tor.
- E2EE β decrypts encrypted rooms; keys are kept in memory only (amnesic β nothing is written to disk).
- Federation β search the user directory, browse and join federated rooms, and accept/decline invites.
- Attachments β renders image and file attachments.
- Fast first login β the client pre-warms the Tor circuit the moment you open it, so login is quick. (A cold Tor circuit otherwise makes the first request take ~15β40s.)
- Truthful, recoverable connection state β a flaky
/syncover Tor no longer pins the UI on "Connecting over Torβ¦" after a successful login; it shows "Syncingβ¦", gives an honest "couldn't sync after several tries" if the circuit is down, and flips back to "online" on its own once Tor recovers. The login and first-sync phases are time-bounded so a stalled socket can't freeze sign-in.
- WhatsApp Β· Telegram Β· Session (messenger launchers). One click opens the
official web client (WhatsApp Web, Telegram Web) in a real top-level browser
window, where everything works β chats, voice/video calls, native file
uploads/downloads, QR login. They are launchers, not embeds, on purpose:
WhatsApp/Telegram forbid framing (
frame-ancestors/X-Frame-Options) and rely on WebSockets the Tor proxy blocks, and Session has no web client (it's a desktop/mobile app). The window therefore shows a clear "Direct connection β NOT routed through Tor" badge; to use them over Tor, run SecurityOS itself in the Tor Browser / Tails (an in-app "Using β¦ over Tor" panel explains how). Session's launcher opens the official download page. - VaptVupt (encrypted file share). Embeds the SecurityOps share's
.onionover the Tor proxy in an opaque-origin sandbox: upload files (forms are rewritten through the proxy, up to 256 MiB) and download them in full (attachments stream back). A toolbar adds Reload and Open in Tor Browser (for script-heavy actions); a slow-load hint appears on a cold circuit. - Radio (improved). Internet radio via radio-browser with exact country selection (ISO code, not a fuzzy name) and only working stations shown (HTTPS-playable + last-seen-online; offline/non-playable removed), resilient mirror failover, genre filter, and favorites. (Streams play direct, not over Tor.)
- Matrix (fixed). Full E2EE chat tunneled over Tor; this round fixed attachment display, uploads timing out over Tor, a proxy circuit leak, and duplicate actions on retry. A persistent "Connecting over Torβ¦" indicates Tor or the homeserver is unreachable (start Tor in Tor Control), not an app bug.
- Start-menu search. Type in the Start menu to find and launch any app or file.
- Strict CSP without
'unsafe-eval'(WASM uses'wasm-unsafe-eval'),frame-ancestors 'none', HSTS, COOP, CORP, and a locked-down Permissions-Policy. - Tor egress for all proxied browsing; the v86 VM defaults to a local Tor relay.
- No persistence by design β see Amnesia above.
- Single source of truth for headers:
scripts/securityHeaders.js(mirrored tonext.config.js,pages/_document.tsx, and thedeploy/reverse-proxy samples).
One command (web + Tor, hardened & amnesic) β from the repo root:
docker compose up -d
# β open http://localhost:8088Two containers, no host networking, no manual flags, Tor on by default.
docker compose down leaves no residue.
Other options
# Full stack β adds the memory-safe Rust proxy sidecar:
docker compose -f deploy/docker-compose.yml up -d --build
# Web image alone (bring your own Tor SOCKS at TOR_PROXY):
docker build -t securityos .
docker run -d -p 8088:3000 -e TOR_PROXY=socks5h://tor:9050 securityosSee CHANGELOG.md for what's new, and docs/ for
TOR.md, LIVE-ISO.md,
GUIX-SETUP.md, and deploy/SECURITY-HEADERS.md.
| Layer | What |
|---|---|
| Frontend | Next.js + TypeScript + styled-components (the desktop, apps, virtual filesystem) |
| Privacy proxy | pages/api/proxy.ts β server-side Tor fetch, SSRF guard, header allowlist, HTML rewriting |
| Matrix proxy | same-origin Tor tunnel to matrix.securityops.co for the E2EE Matrix client (matrix-js-sdk + Rust crypto/WASM) |
| Rust sidecar | sidecar/ β memory-safe equivalent of the proxy fetch/rewrite path |
| Crypto | wasm/vaptvupt/ β public/Program Files/Vaptvupt/vaptvupt.js (the WASM engine) |
| Emulation | v86 (x86 Linux), BoxedWine, js-dos, Ruffle β all WebAssembly |
| Deploy | Dockerfile + deploy/ (compose, Tor image, nginx/Caddy, VM bootstrap, TAILS CI) |
SecurityOS is built by one person, Cristian Cezar MoisΓ©s, to improve privacy worldwide and help people be safer online β and for the author's own use. It is for lawful, authorized use only.
- Use it ethically and legally. The bundled tools (Tor Browser, Matrix chat, Vaptvupt encryption, network utilities) are for securing your own systems, authorized research/testing with explicit permission, lawful privacy, and CTF/labs.
- You are solely responsible for what you do with it. The project and its sole maintainer are NOT responsible or liable for any misuse, illegal, unauthorized, or harmful use.
- No warranty. Provided "as is", without warranty of any kind; to the maximum extent permitted by law the author is not liable for any damages arising from its use. Tor reduces but does not eliminate deanonymization risk.
Full terms: docs/TERMS.md (also on the SecurityOS desktop as
terms.md), and LICENSE.
SecurityOS is an independent, one-person project β built and maintained solely by Cristian Cezar MoisΓ©s (no team, no company). Issues and patches are welcome.
Licensing is per component:
- SecurityOS (the desktop / OS itself) β MIT. It's a fork of
daedalOS by Dustin Brett, also MIT, so
LICENSEcarries both copyrights (Cristian Cezar MoisΓ©s for SecurityOS, Dustin Brett for daedalOS). - Vaptvupt (the encryption tool, and its
.zuptencrypted-file format / engine) β dual-licensed: GNU AGPL-3.0-or-later or a separate Commercial license, at your option. The AGPL's network-use clause (Β§13) means that if you run a modified Vaptvupt as a network service, you must offer its users the corresponding source; a commercial license is the alternative for proprietary or closed-source use. Full terms are inLICENSE-VAPTVUPT.md, with the AGPL text inLICENSES/AGPL-3.0.txt.
Naming: Vaptvupt is the tool;
.zuptis only its encrypted-file format / extension β never a name for the tool itself.
Upstream and bundled third-party components keep their own licenses β see source
headers and THIRD-PARTY-NOTICES. For a one-page summary, see
LICENSING.md.
Cristian Cezar MoisΓ©s β sole maintainer & developer Β· Information Security
πΌ LinkedIn Β· π GitHub Β· π¦ Codeberg Β· πΊ YouTube Β· π Portfolio