Security
Last updated: 2026-06-13
Infrastructure
Production traffic is served over HTTPS with HSTS on public marketing and app routes.
Application secrets are stored in environment configuration, not in client bundles.
Data protection
Encryption in transit for public and authenticated routes. Workspace-scoped access controls on dashboard and server actions.
Payment data is handled by Stripe and Paddle; card numbers are not stored on our servers.
Operational security
Webhook idempotency for payment providers. Uploads stored on configured persistent volumes per deployment.
- Session cookies for dashboard auth
- Per-workspace Stripe/Paddle keys
- Webhook event deduplication
Markdown: /security.md