Security
Encryption
- All secrets encrypted at rest with AES-256-GCM
- Encryption key derived via scrypt with per-value salt
- Environment variable values never returned via any API
- Git tokens and database passwords encrypted before storage
Authentication
- Supabase Auth with JWT session management
- All dashboard routes require authentication
- All API routes verify resource ownership
- API keys hashed with SHA-256, shown once on creation
Input validation
- Commands validated against safe character allowlist
- Git URLs restricted to HTTPS protocol only
- Cron expressions validated for correct format
- Domains validated per RFC specification
- No user input interpolated into shell commands
Container isolation
- Each project runs in its own Docker network
- App containers run as non-root user
- No privileged containers
- No host network mode for user apps
Rate limiting
- Auth routes: 10 requests/minute/IP
- Deploy trigger: 5 requests/minute/user
- Git operations: 30 requests/minute/user
- API keys: 60 requests/minute/key
- All other routes: 100 requests/minute/user
Reporting vulnerabilities
Report security issues to security@joeybuilt.com. Do not open public GitHub issues for security vulnerabilities.