Trust

Security & privacy

How we protect data across the platform.

Security is built into every layer of Devlune Webmaster. This page summarizes the controls referenced throughout the docs.

Data protection

  • No cookies and no cross-site tracking — nothing to consent to.
  • Visitor IPs are salted and SHA-256 hashed at the edge; raw IPs are never stored.
  • Row-Level Security (RLS) isolates every workspace's data in the database.
  • Form file uploads live in a private bucket, reachable only via short-lived signed URLs.

Abuse & integrity

  • Per-IP rate limiting on analytics, counter, form, and upload endpoints.
  • Origin allowlists ensure only your domains can send data.
  • Single-use, short-lived HMAC tokens protect form submissions from replay.
  • Always-on honeypot plus optional Turnstile CAPTCHA filter form spam.

Access control

  • Role-based workspace access (owner, admin, member, viewer).
  • API keys are read-only, workspace-scoped, stored only as hashes, and revocable instantly.
  • Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity.

Responsible disclosure

Found a vulnerability? Email security@devlune.in. Please don't disclose publicly until we've had a chance to fix it.