Security Auditing .onion Hidden Services: Complete Checklist

Audit the torrc configuration for security best practices. Verify HiddenServiceDir permissions are 700 (owner: tor user, group: tor user, no world access). Check for DataDirectory and HiddenServiceDir on encrypted volumes. Verify Tor is running as the tor user, not root (User tor in systemd unit file). Confirm SocksPort is bound to 127.0.0.1, not 0.0.0.0. Verify that hidden service HiddenServicePort maps to a local address (127.0.0.1) rather than an external IP. Check that the Tor process is isolated from the application process - run application as a separate user with no read access to /var/lib/tor/. Review the Tor version for known vulnerabilities and verify it is current. Ensure DisableDebuggerAttachment is 1 to prevent ptrace from other processes.

Application layer vulnerabilities are the most common cause of .onion service deanonymization. Test for SSRF (Server-Side Request Forgery): submit URLs as input and verify the application does not make outbound HTTP requests to external IPs that would reveal the server's real IP. This is particularly critical in applications that render user-provided content, process URLs for previews, or handle image/file uploads. Test for XXE (XML External Entity) injection in any XML processing. Test for command injection in any shell-level operations. Verify the application does not log client IP addresses (they are all 127.0.0.1, so logging provides no value and wastes disk space). Verify the application does not include any external resources (fonts, analytics, CDN libraries) in pages - external resource requests reveal the client's IP to the external server.

Verify OS-level hardening: firewall rules allowing only Tor ORPort and application port from localhost, no other listening ports (check with ss -tlnp). Verify no clearnet-accessible ports: the server should have no public-facing web ports, SSH should be key-only with non-standard port or restricted source IP. Verify full disk encryption is configured (LUKS on Linux) and the decryption passphrase is not stored on the server. Verify automatic security updates are configured. Review installed packages for unnecessary services (remove mailserver, FTP, or other unused daemons). Verify file integrity with AIDE or Tripwire baseline comparison to detect unauthorized changes. Check for world-readable sensitive files: find /var/lib/tor -maxdepth 2 -perm /o+r should return no output.

Review HTTP response headers for information disclosure. Nginx default headers (Server: nginx/1.24.0) reveal server software version. Configure server_tokens off in Nginx to reduce header verbosity. Check for application framework version disclosure in response headers or error pages. Verify error pages return generic messages rather than stack traces or database error details. Review the application for features that might disclose the server's IP: server-side HTTP redirects to external URLs, email sending functionality (SMTP From header reveals server hostname), PDF generation tools that make external HTTP requests for embedded resources. Audit all user-supplied content rendering paths for SSRF and content injection vulnerabilities that could cause the server to contact external IPs.

Operational security audit covers human and procedural factors. Review access control: how many people have SSH access to the server, are all keys documented and revocable, when did each key last successfully authenticate? Review secret management: are API keys, database passwords, and encryption keys stored securely (environment variables or secrets managers) rather than in version-controlled code? Review monitoring: is there an alerting system that would notify operators of server compromise (file integrity changes, unexpected process launches, Tor daemon failures)? Review backup security: are backups encrypted before storage, are backup access credentials separate from production credentials, when was the backup last tested for restoration? Review incident response: is there a documented procedure for responding to suspected compromise of the hidden service?