Trust
Security & privacy
How we protect data across the platform.
Security is built into every layer of Devlune Webmaster. This page summarizes the controls referenced throughout the docs.
Data protection
- No cookies and no cross-site tracking — nothing to consent to.
- Visitor IPs are salted and SHA-256 hashed at the edge; raw IPs are never stored.
- Row-Level Security (RLS) isolates every workspace's data in the database.
- Form file uploads live in a private bucket, reachable only via short-lived signed URLs.
Abuse & integrity
- Per-IP rate limiting on analytics, counter, form, and upload endpoints.
- Origin allowlists ensure only your domains can send data.
- Single-use, short-lived HMAC tokens protect form submissions from replay.
- Always-on honeypot plus optional Turnstile CAPTCHA filter form spam.
Access control
- Role-based workspace access (owner, admin, member, viewer).
- API keys are read-only, workspace-scoped, stored only as hashes, and revocable instantly.
- Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity.
Responsible disclosure
Found a vulnerability? Email security@devlune.in. Please don't disclose publicly until we've had a chance to fix it.
