Read through our security policies for testing sessions, Local Testing, application security and privacy.
Remote testing session
Remote sessions establish a connection between your computer and the BrowserStack cloud, thus allowing you to test your website on secure virtual machines. Each virtual machine is a fresh instance, restored to its original settings, guaranteeing not only a tamper-proof environment, but also a consistent baseline for test scenarios. Read more about our virtual machine security policies here.
To make testing as easy as possible, we use VNC protocol to transfer the data from your machine to the server. This data is encrypted, so as not to be accessible whilst in transit. Also, there is no additional setup required on the client end, since all the transactions take place from within the browser itself.
In the event that you are testing from behind a firewall, BrowserStack does not require any special rules to operate successfully. We use HTTPS and WSS, both of which are standard web protocols, allowed universally by firewalls. Therefore, your existing security is left altogether intact.
Local Testing enables you to test local folders and internal servers. We use custom-designed Chrome and Firefox extensions, with WSS (secure WebSockets) to connect your machine to the cloud. WebSockets allows extensive interaction between the client browser and the servers. To protect the privacy of transferred data during the testing session, we use WSS exclusively. WSS uses SSL over port 443 for transport and therefore only transmits encrypted data.
When testing an private server, we forge a connection between the server you have specified, and our virtual machines. The mechanism is set up to forward requests and responses back and forth, and nothing else. Similarly for local folder testing, the BrowserStack cloud only has access to the folder mentioned during the setup of the connection. Our infrastructure cannot access anything else on your filesystem.
Virtual machines privacy and security
Each time a new testing session is created, the BrowserStack cloud assigns the user a pristine virtual machine. Our machines are restored to their original states, which means they are stripped of their registry contents, caches are erased, cookies are deleted, and all running processes are killed. Additionally, users do not have the privileges to install any programs on the machines. Therefore, after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof. The advantage is that each time a test is run, the default settings are restored, thus providing an ideal test scenario.
Once the restoration process is complete, the virtual machine is then put through a series of validation checks, as a fail-safe mechanism. In the rare case that the virtual machine fails even a single check, it is taken off the infrastructure altogether. The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.
At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.
Our restoration mechanisms for virtual machines is stringent and extremely thorough, ensuring that even the smallest scrap of browsing data is erased. This list includes the temporary cache of files, the browsing history, any cookies generated during the testing session, passwords and other form data, testing logs, and all downloads. We guarantee to our users that we do not have any mechanism to view or store their browsing data. All data is wiped out from the virtual machines as soon as the session ends.
Secure hosting for virtual machines
BrowserStack partners with only with the best hosting providers across the globe, and our machines are located in secure locations in the US, Europe, Singapore, and Australia. Our selection process is exacting, focussing on excellent service records and established security policies.
Each service provider has implemented security with the view to protect all those using their cloud. Many have had their security policies independently audited from an external authority, and have been certified under major compliance regulators. One of our providers is AWS, and you can read more about their security here.
We ensure that the machines within the BrowserStack infrastructure are protected from ground up. Starting from physical security, we constantly improve security policies as the threat landscape changes. Our priority is to protect the integrity of your data, and guard against any service interruptions.
Secure storage of BrowserStack credentials
Your account information: username, logins, password, access keys, and account details, are stored in an encrypted format on our systems. We use SSL to transmit information back and forth from our servers. BrowserStack cannot view any of your credentials, so much so that if you lose your password, it must go through the reset procedure for your account to be accessible again.
Access control systems
Our sophisticated Identity Access Management systems log every entry into the cloud infrastructure. BrowserStack has limited access to client instances, therefore ensuring a completely secure testing environment.
In addition to these mechanisms, we provide a role-based administration system for the user accounts as well. There are 3 roles: owner, admin, and user; each with different permissions. The administrators of the account (owner and other admins) can control user activity at will, even to the extent of prohibiting team members from accessing products.
Usage logs and test history
All BrowserStack products generate usage logs, which are used for analytical purposes. These usage logs do not contain any personal data about the user nor any browsing data generating during tests.
Screenshots and Automate both generate test history, in the form of screenshots and log data respectively. In Automate, log data is created during the test sessions and subsequently displayed on the user's dashboard. Screenshots saves earlier test session results for easy retrieval. Test history is stored in a secure database on our cloud. The access mechanism is highly encrypted, and is therefore only accessible to you, via your BrowserStack account.