Security at Shadey

Last updated: March 24, 2026

Infrastructure

Single dedicated Hetzner server (not shared cloud). No multi-tenant infrastructure. Your sessions run on bare metal.

Encryption

API keys hashed with Argon2id (OWASP 2025 parameters). Key database encrypted with SQLCipher (AES-256). All traffic over TLS 1.3 via Caddy auto-TLS.

Session Isolation

Each session gets its own Chrome process, unique fingerprint seed, and isolated profile directory.

  • Sessions are bound to API keys — no cross-customer access (BOLA protection)
  • 128-bit session IDs (UUID v4)

Access Control

  • Rate limiting: 10 req/sec per API key, 30 req/sec per IP
  • Concurrency: Session limits enforced per plan
  • Input validation: All endpoints validated
  • SSRF protection: URL parsing blocks localhost, metadata endpoints, private IPs, and IPv6-mapped addresses

Data Handling

Session data (cookies, screenshots, page content) exists only during the session lifetime. On session destroy, all data is wiped.

Saved profiles are encrypted on disk with 30-day auto-expiry.

Monitoring

  • Structured JSON audit logging
  • Prometheus metrics
  • Graceful shutdown destroys all sessions

Compliance

SOC 2 Type II — in progress. Contact security@shadey.dev for our current security questionnaire responses.

Report a Vulnerability

Report vulnerabilities to security@shadey.dev

Status

Real-time status at status.shadey.dev

Back to Home