Security at WebPeel

Security is not a feature — it's the foundation.

Last updated: March 22, 2026

✓ TLS 1.3 Everywhere ✓ Zero Content Storage ✓ SSRF Protected ✓ EU-Hosted (GDPR) ✓ HMAC Webhooks ✓ 0 npm Vulnerabilities

🗄️ Data Handling

We built WebPeel with a minimal-data philosophy from day one.

No content storage: We never store fetched page content — only metadata (URL, timestamp, response time). What you fetch stays yours.
Streamed responses: API responses are streamed directly to you, not cached on our servers. Your data doesn't touch our disk.
Zero Data Retention mode: Available for enterprise customers — no metadata logs, no usage records. Contact us to enable.
Transparent headers: Every API response includes X-Data-Retention: metadata-only so you always know exactly what we retain.

🏗️ Infrastructure Security

TLS 1.3: All traffic is encrypted in transit. HTTP is not served — every request is redirected to HTTPS.
EU hosting: Our API runs on Hetzner Cloud (Germany/EU) with full-disk encrypted volumes and physical datacenter security.
Kubernetes (K3s): Containerized workloads with network policies that restrict pod-to-pod communication to only what's needed.
Traefik + Let's Encrypt: Automated TLS certificate provisioning and renewal via ACME. Zero manual cert management.
HSTS with preload: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload enforced on all responses.

🛡️ Application Security

SSRF protection: All fetch targets are validated before requests are made. We block localhost, 127.x.x.x, 10.x.x.x, 172.16–31.x.x, 192.168.x.x, cloud metadata endpoints (169.254.169.254), and the file:// protocol.
Rate limiting: Sliding window rate limits are enforced per API key, per tier — preventing both abuse and runaway client code.
Input validation: URL length caps, protocol allow-listing, and content-type enforcement on every request.
SQL injection prevention: Parameterized queries exclusively. Raw SQL string interpolation is not used anywhere in our codebase.
Security headers: We use Helmet.js to set X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection, and a strict Content-Security-Policy on all responses.
Dependency auditing: We run npm audit in CI on every deploy. Current status: 0 known vulnerabilities.

🔑 Authentication

OAuth 2.0 only: We authenticate via Google OAuth. No passwords are stored — ever. There's nothing to breach.
Hashed API keys: API keys are hashed with SHA-256 before storage. Even if our database were compromised, raw keys would not be exposed.
Key scopes: API keys support granular permission scopes, so you can issue keys with only the access they need.
Audit logging: Every API request is logged with key ID, endpoint, timestamp, and result code — available in your dashboard.

🪝 Webhook Security

All webhook deliveries from WebPeel are signed so you can verify they're legitimate.

HMAC-SHA256 signatures: Each webhook payload is signed using your webhook secret.
Timestamp replay protection: A X-WebPeel-Timestamp header is included in every delivery. Reject webhooks older than 5 minutes.

Verify a webhook delivery in Node.js:

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret, timestamp) {
  // Reject if timestamp is older than 5 minutes
  const age = Math.abs(Date.now() / 1000 - parseInt(timestamp));
  if (age > 300) throw new Error('Webhook timestamp too old');

  const signed = crypto
    .createHmac('sha256', secret)
    .update(`${timestamp}.${payload}`)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(`sha256=${signed}`)
  );
}

🇪🇺 GDPR Compliance

Data deletion: Delete your account and all associated data via DELETE /v1/account or through your dashboard Settings.
EU infrastructure: All data is processed and stored on EU-hosted servers (Hetzner, Germany). No transatlantic transfers for primary data.
No tracking cookies: We use only essential session cookies for authentication. No analytics cookies, no ad trackers.
Privacy policy: Full details at webpeel.dev/privacy. See our privacy policy for complete data handling information.

🔍 Responsible Disclosure

Found a security vulnerability? We want to know.

Contact: Email security@webpeel.dev with a description of the issue and reproduction steps.
Response time: We commit to acknowledging all reports within 48 hours and providing a fix timeline within 7 days for confirmed issues.
Good faith: We will not take legal action against researchers who report issues responsibly and do not exploit or disclose them before a fix is released.
Credit: With your permission, we'll thank you in our changelog when the fix ships.

Questions about security?

Email us at security@webpeel.dev — we respond to every message.