Home/Security
Platform

Security

Security is a baseline, not a marketing feature. Here's what we do, what we don't do, and how to reach us.

Last updated · 2026-04-21

Platform security

  • HTTPS everywhere with HSTS. HTTP requests are redirected and never served.
  • Content-Security-Policy on the web app restricts scripts to trusted origins (self, Stripe, PostHog, Supabase).
  • Rate limiting on every API route group (auth, products, checkout, reviews, creator, admin).
  • Input validation with Zod on every write endpoint. Body size limited to 1MB globally.
  • API keys are generated once, shown once, and stored as SHA-256 hashes — we never persist the plaintext key.
  • Webhooks are signed with HMAC-SHA256 using a per-creator rotating secret.
  • Row-level security is enforced on every Supabase table. Cross-user data leaks are covered by automated RLS tests.
  • Dependency audit: zero high or critical vulnerabilities in production dependencies at last audit.
  • JWT sessions: 1-hour expiry with refresh-token rotation.
  • Secrets management: all secrets live in environment variables, never in the repository.

Bundle security

  • Static scan on publish: every uploaded ZIP is parsed for hardcoded secrets, credential harvesting, destructive shell commands and prompt-injection patterns. Bundles score 0–100; anything below the threshold is blocked.
  • ZIP integrity: magic bytes + Content-Type validated on upload; SHA-256 stored per version.
  • Score-based publish gate: a scan score of 80 or above publishes automatically; 60 to 79 enters a pending queue for admin review before reaching the marketplace; below 60 is rejected until the creator fixes the findings.
  • Verified purchase reviews: only buyers with a completed purchase can leave reviews — no anonymous ratings, no astroturfing.

What we do NOT do (yet)

We prefer honesty over marketing. The following are on the roadmap but not shipped today:

  • We do not run bundles in a sandbox VM before publishing.
  • We do not cryptographically sign released bundles.
  • We do not perform dynamic runtime analysis of bundle behaviour.
  • We are not SOC 2 or ISO 27001 certified.

If any of these is a blocker for your use case, tell us — roadmap priority is driven by demand.

Reporting a vulnerability

Email security@openclawbundles.com with a clear description and reproduction steps. We will acknowledge within 48 hours and keep you updated until the issue is resolved. Please don't disclose publicly until we've had a reasonable chance to fix it.

Infrastructure

  • Supabase (EU) — Postgres database, Auth, file Storage.
  • Stripe (US/EU) — payments and connected-account payouts.
  • Cloudflare — edge hosting, Workers runtime, CDN, DDoS protection.

Contact

security@openclawbundles.com