User: anyone who makes an account on our platform
Character: a collection of information and images (reference sheets, art, etc.) about a character which can be easily shared with artists
Artist: a special "second profile" in which a user can advertise commission information
Commission: something which is custom-created for a customer based on their requirements
Commission Type: a type of commission the artist offers. This can vary from artist to artist, however typically is separated by style (traditional, digital, etc.), type (headshot, bust), or both!
Commission Modifier: a list of preset things which may add to a commission price. Can be things such as NSFW, backgrounds, multiple characters, etc.
Artist's Terms of Service: a set of rules you must follow in order to commission an artist (may cover things such as commercial use and refunds)
Is my information protected?
We care about your security. We've seen many similar websites be attacked and lots of important user information breached. As such, we take extreme precautions about what data we store and how we store it.
Here are some of the things that we do to ensure your security and privacy.
- Every connection to our site is made with the newest SSL and TLS technology
- Our certificates, as of August 28, 2018, are 4096-bit RSA issued by LetsEncrypt. We score an A+ rating on Qualys SSL Server Test, scoring a 100% in Certificate integrity.
- Additionally, we use HPKP (HTTP Public Key Pinning), preloaded HSTS (HTTP Strict Transport Security, hardcoded into browsers to force secure connections), and DNS CAA records to ensure that your connection is always secure, and always to us.
- We also employ Diffie-Hellman (DH) Parameters and SNI in order to keep your connection secure.
- User passwords are never stored
- We use per-user salts - if two users have the same password, the hashes are different
- Additionally, we require all passwords be 8 characters long, and that they have no maximum length. This encourages the use of ridiculously long random passwords.
- We store passwords after they are hashed with the argon2i algorithm and a high iteration factor (sometimes called time cost, which is currently 5), a high memory usage (32 MB), and multiple cores. If the user is to use a password of only 8 characters, the password would take (by current estimates) millions of years to crack and billions of dollars.
- Two Factor Authentication
- We allow our users to protect their accounts using TOTP one-time password authentication.
- This is opt-in based, and our verification tests these 6-digit tokens for validity within a +-1 minute window.
- Each token lasts for 30 seconds
- Binding of database queries
- Following the lessons of Bobby Tables, we bind all parameters using a database abstraction library.
- This prevents any possibility of SQL injection.
- Few outside dependencies on the server
- We use no external libraries for the backend except for the popular PHPMailer and phpqrcode.
- PHPMailer is used in at least 25% of all websites (based on Wordpress usage) and much more than that, and is only invoked when we need to send user emails.
- phpqrcode is small and used for generating 2FA QR codes
- Other than PHPMailer and phpqrcode, all of our code is home-grown.
- Randomization of uploaded information
- All uploaded information is stored with random paths.
- This prevents malicious users from taking the path to one file and determining a pattern to get others
- Open-sourced on GitHub
- All of our code is on GitHub where anyone can view it for transparency reasons
- And much more!
Why can I change the site's colors?
We believe that you should be able to make our platform your own. Therefore, you may choose your own color theme which will be seen around the site and when anyone views your profile. You can customize the colors of characters, user profiles, and artist's pages.