SecureDrop is only as secure as the environment that surrounds it. To keep sources safe, the news organization’s website, physical space, and dedicated SecureDrop hardware must employ a set of basic security best practices or risk losing any source protection provided by SecureDrop.
Freedom of the Press Foundation eventually plans to list all of those SecureDrop onion URLs that meet the minimum requirements for deployment best practices as “verified” on its website. If your organization cannot follow the minimum guidelines, we cannot recommend your SecureDrop instance as safe to use.
In addition to implementing the following best practices, we strongly recommend that you have a reputable security firm perform a review of your organization’s public website prior to launching an instance of SecureDrop. Upon request, we can help put you in touch with a few security firms if you need more assistance.