The server

The server do not allow SSH connections using passwords.
The only user allowed to remotely access the server requires a key with a pass phrase and this user is not the root user, but it belongs to the sudoers group.
The user that runs the application do not belong to the sudoers group.

The application

This instance does not have SSL enabled, even though the LynxChan engine supports it.
The database is not encrypted, allows only local connections and do not require authentication.

Deletion passwords

Deletion passwords are stored in plain text and are not meant to be secure. If you wish to make sure you can't be tracked without your ip, do not provide a deletion password when posting.


Every posting has it's ip recorded. Except for TOR users.
The first half of the ip can be seen by the global staff and board staff. Ex: "" will be displayed as "1.2" to both global and board staff where the post was made.

A hashed and salted version of the ip will also be available for the same people mentioned on the previous item. The salt is randomly generated for boards and is not available for anyone without direct access to the database.
However, root users are able to see the actual ip of the user and potentially enable for any member of the global staff to see clear ips too. In this instance, only root users are allowed to see real ips.

If enabled by the board owner, a thread-wise id will be displayed on the post. This thread-wise id uses a randomly generated salt to the thread, allowing for everyone to identify postings from the same ip in a thread.
The thread salt is as private as the board salt and is not based on the board salt.
Conclusion: the staff can identify the same user inside a board, ids allows anyone to identify the same user inside a thread, the sysadmin has access to all ips used to post on the whole site, root users can also see that and can enable other global staff member to access them.


Cookies are only required for using the block bypass or a moderation account and are not associated in any shape or form to your posts.


The placeholder front-end does not link any external resources and do not require the user to run javascript at all.