Security

How we protect your data and what to do if you find a vulnerability.

Our Security Practices

๐Ÿ”’

Encryption at Rest

All sensitive data including API headers and tokens encrypted with AES-256.

๐Ÿ”

Encryption in Transit

All connections use TLS 1.2+ (HTTPS). HTTP is redirected to HTTPS.

๐Ÿ›ก๏ธ

Password Security

Passwords hashed with bcrypt, minimum 12 rounds. Never stored in plain text.

๐ŸŽซ

Session Security

Session tokens stored as SHA-256 hashes. Raw tokens never stored in database.

โšก

Rate Limiting

All auth endpoints rate limited: 5 attempts per 15 minutes per IP.

๐Ÿ”‘

CSRF Protection

All state-changing requests require per-session CSRF tokens.

Data We Don't Store

By design, Endpoint Tracker never stores:

  • Actual API response values or bodies
  • Plain text passwords
  • Raw session or API key tokens
  • Payment card details (handled entirely by Paystack)
  • Personal data from your monitored API responses

Infrastructure Security

Endpoint Tracker is hosted on Railway's infrastructure with:

  • Automatic SSL certificate provisioning and renewal
  • PostgreSQL database with encrypted connections
  • Environment variables for all secrets (never in code)
  • Regular dependency updates and security patches

Responsible Disclosure

Found a security vulnerability?

Please email us at support@endpointtracker.com with details. We will respond within 48 hours, work with you to understand and fix the issue, and credit you in our security acknowledgements if desired.

Please do not publicly disclose vulnerabilities before we have had a chance to address them. We ask for a 90-day responsible disclosure window.

In Scope

  • Authentication and session management vulnerabilities
  • Data exposure or unauthorised data access
  • Cross-site scripting (XSS) or injection vulnerabilities
  • API authentication bypass

Out of Scope

  • Denial of service attacks
  • Social engineering or phishing attacks
  • Issues in third-party services we use (Railway, Paystack, Resend)