SecureDrop is only as secure as the environment that surrounds it. To keep sources safe, the news organization’s website must employ a set of basic security best practices or else you risk losing any source protection provided by SecureDrop.

While SecureDrop itself is located on a Tor hidden service, news organizations also need to create a SecureDrop landing page that will explain how SecureDrop works, give sources instructions on how to access the Tor hidden service, and disclose the risks. We recommend to also include a privacy policy (see our Sample SecureDrop Privacy Policy) that describes what data is collected and how it will be used by your organization.

It is important to keep in mind that implementing SecureDrop will bring more attention to your organization by security researchers, hackers, and other like-minded people. If the landing page minimum requirements are not implemented, these people will be sure to loudly point this out on Twitter and other blogs as a #SecurityFail. This will discourage potential sources from using your instance of SecureDrop. However, it can easily be avoided by following the below best practices.

Freedom of the Press Foundation eventually plans to list all of those SecureDrop onion URLs as “verified” on its website that meet the minimum requirements for deployment best practices. If your organization cannot follow the minimum guidelines we cannot recommend to users that your SecureDrop instance is safe to use.

In addition to implementing the below best practices, it is strongly recommended that you have a reputable security firm perform a security review of your organization’s public website prior to launching an instance of SecureDrop. Upon request, we can help put you in touch with a few security firms if you need more assistance.