How Credentials Are Handled Safely

Rihario never stores your credentials permanently. If you provide credentials for testing (test accounts only), they're used only during exploration and then discarded. Credentials are transmitted securely and never logged or saved. Use test accounts, not production credentials.

Security Principles

• Never stored - Credentials are not saved to disk or database
• In-memory only - Used during exploration, then discarded
• Encrypted transmission - All data transmitted over HTTPS
• No logging - Credentials never appear in logs
• Test accounts only - Never use production credentials

How Credentials Are Used

During Exploration

If you provide credentials (test accounts only):

1. Credentials entered securely
2. Transmitted over HTTPS to Rihario servers
3. Used only during the active exploration session
4. Discarded when exploration completes
5. Never saved to disk or database

Manual Authentication

When you authenticate manually (recommended):

• You log in directly in the browser
• Rihario doesn't see your credentials
• Session cookies are used (standard browser behavior)
• Session discarded when exploration ends

Best Practices

Use Test Accounts

• Never use production credentials - Always use test accounts
• Create dedicated test accounts - Separate from real user accounts
• Limited permissions - Test accounts should have minimal permissions
• Regular rotation - Change test account passwords regularly

Manual Authentication Preferred

• More secure - You control the authentication
• No credential sharing - Credentials never leave your browser
• Works with complex auth - Handles MFA, OAuth, etc.
• Recommended approach - Best for most use cases

What Gets Stored

Rihario stores:

• Test results - Screenshots, logs, issues found
• Exploration metadata - URLs, timestamps, status
• Evidence - Console logs, network requests (no credentials in URLs)

Rihario does NOT store:

• Passwords or API keys
• Authentication tokens (beyond session)
• Form data entered (if sensitive)
• Personal information from forms

Data Transmission

HTTPS Encryption

All data transmitted securely:

• HTTPS encryption for all connections
• TLS 1.2+ required
• Encrypted in transit

API Security

API requests are secured:

• Authenticated API requests
• Rate limiting to prevent abuse
• No credentials in API URLs or logs

Limitations

• Session-based only - Cannot persist credentials between sessions
• Manual auth for complex flows - MFA, OAuth require manual steps
• Test environment recommended - Use test environments when possible

Privacy Considerations

• Test data only - Never use real user data
• Staging environments - Test on staging, not production
• Sensitive data - Be cautious with any sensitive information

Next Steps

• Learn what data is stored
• See how to test login flows safely
• Understand CAPTCHA and MFA limitations