Security Features

Hologram implements multiple layers of security to protect users while enabling powerful dApp functionality. This page explains the security model and how each layer works.

Defense Layers

Hologram protects users through four concentric security layers:

┌───────────────────────────────────────────────────────┐
│  Layer 1: Blockchain Immutability                     │
│  ┌─────────────────────────────────────────────────┐  │
│  │  Layer 2: Iframe Sandboxing                     │  │
│  │  ┌───────────────────────────────────────────┐  │  │
│  │  │  Layer 3: Permission System               │  │  │
│  │  │  ┌─────────────────────────────────────┐  │  │  │
│  │  │  │  Layer 4: Local Execution           │  │  │  │
│  │  │  │  ┌───────────────────────────────┐  │  │  │  │
│  │  │  │  │       Protected User          │  │  │  │  │
│  │  │  │  └───────────────────────────────┘  │  │  │  │
│  │  │  └─────────────────────────────────────┘  │  │  │
│  │  └───────────────────────────────────────────┘  │  │
│  └─────────────────────────────────────────────────┘  │
└───────────────────────────────────────────────────────┘

Layer 1: Blockchain Immutability

TELA content is stored on the DERO blockchain and served through the TELA Browser, providing:

Property	Benefit
Cryptographic verification	Content hash verifiable against blockchain
Immutable DOCs	Individual files cannot be modified
Transparent history	All changes recorded on-chain
No server trust	Content comes from decentralized network

Layer 2: Iframe Sandboxing

All TELA content runs in a sandboxed iframe:

<iframe 
  sandbox="allow-scripts allow-same-origin"
  ...
>

Restrictions:

No direct network requests (except through telaHost)
No access to parent window DOM
No local storage or cookies
No form submission to external URLs
No popups or new windows

Layer 3: Permission System

User approval required for sensitive operations:

Operation	Approval
Read blockchain data	Auto-approved
View wallet address	Initial connection
View wallet balance	Initial connection
Send DERO	Every transaction
Invoke smart contract	Every transaction

Hologram auto-detects read-only apps and shows a "Read-Only Access" badge instead of wallet permissions. Learn more in Smart Permission Detection.

Layer 4: Local Execution

All content executes locally on your machine:

No remote code execution
No external JavaScript loading
All assets fetched from blockchain
No CDN or third-party dependencies

Content Security Policy

Why CSP is Relaxed

Traditional web browsers use Content Security Policy (CSP) to prevent cross-site scripting. However, TELA apps:

Are fetched from blockchain (not remote servers)
Run in sandboxed iframes
Have no external network access
Are cryptographically verified

Hologram's reverse proxy system strips CSP headers because:

The iframe sandbox provides equivalent protection
CSP would break legitimate TELA functionality
Content is already verified from blockchain

Security Mitigations

Traditional CSP Purpose	Hologram Equivalent
Prevent XSS	Iframe sandbox + blockchain verification
Block inline scripts	Not needed (content is trusted from blockchain)
Restrict network requests	Iframe sandbox blocks all network
Prevent data exfiltration	No network access + user approval for wallet

XSWD Security

Permission Scopes

Scope	Access Level	User Approval
`read_public_data`	Blockchain data only	None
`view_address`	Wallet address	Initial connection
`view_balance`	Wallet balance	Initial connection
`sign_transaction`	Send funds	Every transaction
`sc_invoke`	Smart contract calls	Every transaction

Smart Detection

Hologram analyzes what methods an app actually calls:

Read-only apps (only DERO.* methods) → Minimal permissions shown
Wallet apps (wallet methods) → Full permission dialog

Rate Limiting

Per-app rate limiting prevents abuse:

RATE_LIMIT_WINDOW    = 10 seconds
RATE_LIMIT_MAX_CALLS = 100 per window

Privacy Mode

Privacy Mode provides network-level isolation, blocking all non-DERO connections when enabled.

How It Works

When Privacy Mode is enabled:

All outbound network connections are blocked by default
Only connections to allowed hosts are permitted
DERO daemon connections continue to work normally
TELA content loads from blockchain (unaffected)

Allowed Hosts

These hosts are always allowed, even with Privacy Mode enabled:

Host	Purpose
`127.0.0.1`	Local connections (required)
`localhost`	Local connections (required)
`0.0.0.0`	Local binding (required)
`::1`	IPv6 localhost (required)

You can add additional allowed hosts in Settings > Privacy Mode.

Use Cases

Maximum privacy: Block all external connections except DERO
Network isolation: Prevent any data leakage to non-DERO hosts
Testing: Verify your TELA app works without external dependencies

Active Connections

The Privacy Mode panel shows all current network connections used by Hologram, allowing you to monitor exactly what connections are active.

Privacy Protections

Zero Tracking

Hologram does not:

Collect usage analytics
Track browsing history
Send data to external servers
Use cookies or fingerprinting
Log wallet addresses

Local-Only Data

All data stays on your machine:

Data	Storage
Wallet files	Local filesystem
TELA cache	Local Graviton database
Preferences	Local Graviton database
Gnomon index	Local database

Network Privacy

Direct daemon connection (no proxy servers)
No DNS leaks for TELA content
Optional Tor support (via daemon configuration)

Daemon Download Security

When Hologram auto-downloads the DERO daemon (derod), it performs SHA256 checksum verification to ensure the binary hasn't been tampered with.

Checksum Verification

Download checksum file — Fetches checksum.txt.signed from GitHub releases
Parse signed message — Extracts checksums from DERO-signed message format
Calculate local hash — Computes SHA256 of downloaded archive
Compare — Fails download if checksums don't match

// Verification is mandatory for auto-downloads
// If checksum fails, the downloaded file is deleted
VerifyFileChecksum(filePath, expectedChecksum) -> error

Privacy Setting

If you prefer not to contact GitHub, you can disable auto-download:

Go to Settings > Privacy
Disable Allow GitHub Check
Manually download derod from GitHub Releases (opens in a new tab)
Place the binary in ~/.dero/hologram/derod/

⚠️

With GitHub check disabled, Hologram will show manual installation instructions instead of auto-downloading.

Wallet Security

Integrated Wallet

Keys stored in encrypted wallet files
Password required to open wallet
No keys transmitted over network
Transaction signing happens locally

XSWD Server

When acting as XSWD server:

Only accepts connections from localhost
Per-app permission management
User approval for all transactions
Session-based authentication

External Wallet (XSWD Client)

When connecting to external wallet (e.g., Engram):

No keys stored in Hologram
Transactions signed by external wallet
Hologram acts as dApp bridge only

Best Practices

For Users

Review permissions — Check what apps request before approving (see telaHost API)
Verify transactions — Always review amount and recipient in the Wallet
Use strong passwords — Protect your wallet files
Keep backups — Store wallet seed phrases securely
Use Offline-First — Cache trusted apps for enhanced privacy
Enable Privacy Mode — Block all non-DERO connections
Check ratings — Use community ratings via Explorer as trust signal

For Developers

Request minimal permissions — Only ask for what you need via telaHost API
Don't specify permissions — Let Hologram auto-detect what your app needs
Handle rejections gracefully — Users may decline
Validate all input — Never trust user data
Test in Simulator — Before deploying to mainnet using Studio tools

Reporting Security Issues

If you discover a security vulnerability:

Do not disclose publicly
Contact the development team privately
Provide detailed reproduction steps
Allow time for fix before disclosure

Comparison

Feature	Traditional Browser	Hologram
Content source	Remote servers	Blockchain (verified)
Execution	Browser sandbox	Iframe sandbox
Network access	Full	Blocked (except telaHost)
Tracking	Cookies, fingerprinting	None
Wallet access	Extensions required	Integrated + approval
Update mechanism	Server-side	Blockchain commits

Local Dev Server Proof Validation