Security

EndpointOS hosts production APIs for its customers. We take security as seriously as you take the customers calling those APIs. This page lists the controls actually in place today, not aspirations or marketing language.

If you believe you have discovered a vulnerability, please email support@baseframelabs.com with steps to reproduce. We will acknowledge within two business days and keep you informed as we triage and fix.

Account security

• Password handling. Authentication is built on Supabase Auth. We never see or store your password in plaintext.
• Account lockout. Repeated failed sign-ins on the same email progressively throttle and ultimately lock the account, with an audit row written when the lock applies.
• Login telemetry. Each successful sign-in is recorded with IP and user-agent. Sign-ins from a new IP location surface as a "New location" badge in your settings.
• Audit log. Sensitive actions (key creation, rotation, revocation, project edits, contract publishes, webhook changes, exports of your own data) are recorded in an immutable audit log that you can filter and export from your account settings.

API keys and secrets

• Hashed at rest. Public API keys are stored as salted hashes; the plaintext value is shown to you exactly once at creation.
• Encrypted secrets. Webhook signing secrets are encrypted at rest with AES-256-GCM using a server-only key.
• Rotation with grace. API keys can be rotated with a configurable grace window so the old key keeps working while you roll the new one out.
• Per-key and per-IP throttles. The public API enforces per-key per-minute rate limits and a per-IP throttle on authentication-path endpoints.
• Per-consumer quotas. If you organise traffic by consumer, each consumer can have its own monthly request limit independent of project limits.

Public API protections

• Body guards. JSON request bodies are size-capped (256KB), depth- bounded, and parsed with a prototype-pollution-safe reviver.
• IP allowlist per project. Optional allowlist of source IPv4 and IPv6 ranges (including IPv4-mapped IPv6 and CGNAT coverage).
• Bot heuristics. Common automation signatures are flagged and throttled before they reach your endpoint.
• Secret redaction. Request and response bodies are redacted for credential-shaped fields before being stored in request logs.

Webhook deliveries

• Stripe-pattern signing. Every outbound payload is signed with HMAC-SHA256 using your per-endpoint secret, including a fresh timestamp to defeat replay.
• SSRF guard. The endpoint URL is resolved and verified on every attempt. DNS rebinding to a private network re-checks each retry.
• At-least-once delivery. Failed attempts retry on exponential backoff for ~24 hours before terminating, recorded in a persistent delivery log you can inspect from the dashboard.

Web app hardening

• Content Security Policy. Strict CSP without unsafe-eval; we are progressively moving inline styles and scripts to per-request nonces.
• CSRF defence. All internal mutation endpoints require a same-origin token; server actions verify origin.
• Cache headers. Internal endpoints are no-store.
• Type-to-confirm. Destructive actions like project deletion require typing the project name to confirm.

Infrastructure

• Hosting. The Service runs on Vercel with traffic terminated in their global edge network.
• Database. Managed Postgres on Supabase with Row Level Security enabled on the public tables.
• Backups. Continuous database backups with point-in-time recovery for up to 35 days.
• Encryption in transit. All public traffic is served over HTTPS.

Operational practices

• Health endpoint. /api/health exposes liveness so upstream monitors can react to degradations.
• Smoke tests. Production smoke tests run on every deploy.
• Dependency audit. npm audit runs as part of the standard verification before shipping security-adjacent changes.
• Source scanning. Static analysis catches accidental secret patterns before they land in the repository.

Shared responsibility

You remain responsible for the API keys you distribute, the request bodies your clients send through the Service, the access mode you choose for each resource, and the security of your own client applications. We provide the controls; you decide how to use them.

Get in touch

Questions, suggestions, or a security report? Email support@baseframelabs.com or visit the contact page.

Responsible disclosure

We ask researchers to give us a reasonable window to respond before publishing details, and to avoid testing against accounts that are not their own. In return we will acknowledge your finding publicly (with your permission) and credit you in our release notes.