FAQ
Common questions.
Short answers. For longer explanations of any of these, the docs have a dedicated page per topic.
- Is Husk actually open source?
- Partially, on purpose. The trust-critical crypto modules — profile encryption, vault sealing, encrypted notes, key derivation — are open at github.com/runhusk/husk-crypto under Apache 2.0. The rest of the browser source (UI, IPC, WebView2 plumbing, adblock pipeline) stays closed and is served only as the published binary. That binary is what the SHA-256 on the download page commits to.
- Why not just fork Firefox / Chromium?
- Both engines are huge. Auditing a fork would mean tracking every upstream change in a tree of millions of lines. Husk's own code is small enough that one person can keep the whole threat model in their head — the engine itself is WebView2, which we configure narrowly and treat as a sandboxed renderer. The day a non-Chromium engine becomes embedding-ready on Windows, we'll evaluate the switch.
- Does Husk send anything home?
- No. There is no telemetry, no crash reporter, no usage stats, no analytics SDK. The binary has no analytics SDK because we didn't ship one. The only outbound traffic Husk initiates on its own is the DoH lookup to your chosen DNS provider, and only if you have DoH enabled.
- What is the duress slot?
- An optional second phrase for the vault that opens a decoy vault instead of your real one. Designed for the moment someone insists you unlock — you type the duress phrase, they see a populated, plausible-looking credentials manager, and your real vault stays invisible. Both blobs are padded to the same fixed size so the on-disk footprint can't tell them apart. Full guide: /docs/vault.
- What happens if I forget my phrase?
- The encrypted profile is unrecoverable. There is no recovery email, no backup keyfile we hold, no support flow that decrypts on your behalf. The design refuses to give Husk the power to decrypt against your will — which is the same property that makes the encryption useful in the first place. Pick a phrase you can remember without writing down.
- Why portable-only at v0.1?
- A regular Windows installer writes to Program Files, the registry, the Start menu, and %APPDATA% — the exact breadcrumbs Husk exists to avoid. The portable build IS the install model: extract, run, delete the folder when done. An optional traditional installer may ship in v0.2 as an extra artifact, but the portable build will stay the default.
- Will Husk run on macOS or Linux?
- Targeted for v0.2. The Rust core already builds for both — wry binds WKWebView on macOS and WebKitGTK on Linux. The ports need work on platform plumbing (boss-key shortcut, single-instance gate, taskbar integration) before they ship with the same privacy guarantees as Windows.
- What does the boss key actually do?
- F9 turns every Husk window across every running profile into a functional calculator. Window title, taskbar icon, Alt-Tab preview and audio all switch. The calculator buttons work — if someone interrupts you, they should see something they could plausibly believe you were just using. Press F9 again to flip back. Cross-process state via Windows named events.
- Is the request interceptor a real Burp replacement?
- For light work, yes — pause and edit any request, drop it, replay with edits, capture responses before the page sees them. For real pentesting work, no — Burp / Caido has decades of headstart on scoping, scanner, repeater, intruder. Husk's interceptor is built-in so you don't reach for a separate tool for quick checks, and it redacts sensitive headers (Cookie, Authorization, X-API-Key) before they hit the chrome JS heap.
- Can a website detect that I'm using Husk?
- It can detect that you're on WebView2 (visible via user-agent unless spoofed) and it can detect the absence of certain APIs Husk neuters. It can't detect Husk-specific globals — we explicitly avoid leaving any. The fingerprint spoof itself is detectable in theory (canvas / audio outputs are noisy where a clean WebView2 wouldn't be), but only if the site already suspects you of running counter-fingerprinting tooling.
- What if my SHA-256 doesn't match?
- Do not run the file. The file you have is not the file we shipped — that's the entire reason we publish hashes. Open an issue at github.com/runhusk/husk or email security@husk.run so we can investigate. Include where you downloaded it from and what hash you got.
- How do I report a security issue?
- Email security@husk.run. Include enough detail to reproduce — version, OS, steps, expected vs observed. Please hold off on public disclosure for at least 30 days from our acknowledgement. Credit goes in the changelog unless you opt out. Full disclosure flow: /security#disclose.