Security

Infrastructure

• All traffic encrypted with TLS 1.3 (HTTPS enforced)
• Docker-based isolated deployment with resource limits
• PostgreSQL with parameterised queries (no raw string interpolation)
• Redis connections authenticated with password
• CORS restricted to configured origins (no wildcards in production)
• Rate limiting on all API endpoints (per-user and per-IP)

Authentication & Authorisation

• Discord OAuth2 for user authentication (no passwords stored)
• Session tokens via NextAuth with secure HTTP-only cookies
• HMAC-signed tokens for OBS/scene WebSocket connections
• Plan-based access control on all premium features
• Admin endpoints protected by IP whitelist + 2FA

Shader Sandboxing

• All shader compilation runs in sandboxed WebGL contexts
• Shader code validated against known dangerous patterns
• GPU time limits prevent infinite-loop denial of service
• Output file sizes capped per plan tier

Data Protection

• IP addresses are irreversibly hashed (HMAC-SHA256) before storage
• GDPR-compliant: users can delete all personal data via /api/user/delete
• Stripe handles all payment data — we never see card numbers
• Audit logs for admin actions

Monitoring

• Prometheus metrics with alerting (compilation failure rate, circuit breaker state)
• Security event monitoring with automated anomaly detection
• Structured logging with sensitive data redaction

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly by emailing security@shaderbot.uk. We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.

Please do not disclose vulnerabilities publicly until a fix has been released.