How Exoliner Keeps Your Account Secure
A deep dive into Exoliner's security model: web-based by default, server-side execution, CSP headers, VirusTotal-scanned desktop builds, and responsible disclosure.
Security is a foundational concern for any platform that handles user accounts and script execution. This article explains how Exoliner is designed to protect your account and your data.
Web-Based by Default
The most significant security advantage of Exoliner is that the core platform is web-based. The script editor, console, game browser, and script hub all run in your browser. There is nothing to download for the main experience, eliminating the risk of malware, keyloggers, and other threats associated with desktop executables.
Transparent Desktop Builds
For developers who want advanced features like Lua LSP and Polytoria support, Exoliner offers an optional desktop application. Unlike legacy tools that ask you to blindly trust downloaded executables, every Exoliner desktop build includes a publicly available VirusTotal analysis. You can verify the binary yourself before running it — we believe users should never have to take our word for it when it comes to software safety.
Server-Side Execution
All script execution happens on our server infrastructure. When you click execute, your script is sent to our servers, processed in an isolated environment, and the results are streamed back to your browser. Your local machine is never involved in script execution.
Strict Content Security Policy
Exoliner implements strict Content Security Policy (CSP) headers that prevent cross-site scripting (XSS) attacks, clickjacking, and other common web vulnerabilities. These headers control which resources can load on the page and block unauthorized scripts from executing.
HTTPS Everywhere
All communication between your browser and Exoliner servers is encrypted using HTTPS. This prevents man-in-the-middle attacks and ensures that your scripts, credentials, and session data cannot be intercepted in transit.
Account Security
We implement industry-standard authentication practices. User sessions are managed securely, and we encourage users to use strong, unique passwords for their accounts.
Responsible Disclosure
We maintain a responsible disclosure policy for security researchers who discover vulnerabilities in our platform. Details are available on our security page. We take all reports seriously and work to address confirmed vulnerabilities promptly.
Our Security Commitments
- The core platform runs entirely in your browser — no downloads required
- Optional desktop builds include VirusTotal analysis for every release
- We never access your local filesystem from the web platform
- We never require browser extensions
- We never require system-level permissions for the web experience
- We never sell or share your personal data
For full details about our security practices, visit our security page. If you have security concerns or want to report a vulnerability, contact us through our Discord support channel or email [email protected].