Security First

Your Links Are Safe With Us

Snipy is built with security at every layer — from password hashing and 2FA to SSRF protection and API key encryption. We protect your data so you can focus on growing.

Get Started Free Contact Security Team

Security Layers

99.9%

Uptime SLA

SHA-256

API Key Hashing

bcrypt

Password Hashing

Security Measures

A comprehensive overview of every security measure protecting your data on the Snipy platform.

SSRF Protection

Private IP blocking on all redirects prevents Server-Side Request Forgery attacks.

Blocks redirects to private/internal IP ranges (10.x, 172.16.x, 192.168.x, 127.x)
DNS rebinding protection with pre-resolution validation
Prevents access to cloud metadata endpoints (169.254.169.254)
Applied on every URL submission and redirect resolution

Bcrypt Password Hashing

All passwords are hashed with bcrypt using a work factor of 12 rounds.

Industry-standard bcrypt with 12 rounds of key stretching
Passwords are never stored in plain text or reversible encryption
Resistant to rainbow table and brute-force attacks
Automatic rehashing on login if work factor is increased

Two-Factor Authentication (TOTP)

Time-based one-time passwords with recovery codes for account protection.

TOTP compatible with Google Authenticator, Authy, and 1Password
8 single-use recovery codes generated on 2FA setup
Recovery codes are bcrypt-hashed before storage
2FA required for sensitive operations (password change, API key creation)

OAuth 2.0 Token System

Short-lived access tokens with long-lived refresh tokens for secure session management.

Access tokens expire after 1 hour
Refresh tokens valid for 30 days with rotation on use
Tokens cached in Redis with TTL = min(remaining, 300s)
Token revocation propagated immediately via Redis cache invalidation

Rate Limiting

Redis-based rate limiting protects against brute-force attacks and API abuse.

Authenticated API: 30 requests per 60 seconds
Authentication endpoints: 5 requests per 60 seconds
Per-user and per-IP tracking via Redis sorted sets
Sliding window algorithm for accurate rate enforcement

Altcha Proof-of-Work CAPTCHA

Privacy-friendly CAPTCHA that runs entirely in the browser without third-party tracking.

No third-party scripts, cookies, or tracking (unlike reCAPTCHA)
Proof-of-work challenge solved client-side in milliseconds
Server-side verification with HMAC signature validation
Applied on registration, contact, and report forms

Role-Based Access Control (RBAC)

Fine-grained permissions with 5 built-in roles and custom role support for Enterprise.

5 built-in roles: Admin, Manager, Editor, Analyst, Viewer
Permissions checked on every API endpoint and UI action
Team-scoped access — members only see their workspace data
Enterprise: custom roles with per-feature permission granularity

API Key Security

API keys are SHA-256 hashed before storage. Only the key prefix is retained for identification.

Full API key shown only once at creation — never stored in plain text
SHA-256 hash stored in database for authentication matching
8-character prefix stored for key identification (e.g., sk_live_abc12345...)
Instant revocation with Redis cache invalidation

Input Sanitization

All user-generated HTML content is sanitized with DOMPurify to prevent XSS attacks.

DOMPurify sanitization on all HTML content (bio pages, blog, CMS)
URL validation with protocol allowlisting (http, https only)
SQL injection prevented via parameterized queries (Drizzle ORM)
Content-Security-Policy headers for all web responses

CORS Protection

Strict Cross-Origin Resource Sharing policy limits API access to authorized origins.

API endpoints restricted to known frontend origins
Preflight (OPTIONS) requests validated before processing
Credentials only accepted from same-site requests
Public marketing endpoints use wildcard CORS for embeds

99.9% Uptime SLA

Enterprise-grade infrastructure with guaranteed availability and incident response.

Multi-region deployment with automatic failover
Health checks every 30 seconds on all services
Automated incident detection and alerting
Public status page with real-time service monitoring

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please contact our security team at security@snipy.com and we will respond within 24 hours.

Report a Vulnerability

Ready to Supercharge Your Links?

Join 150,000+ marketers, creators, and businesses who trust Snipy for smarter link management.

Get Started Free View Pricing

No credit card required·14-day free trial on Pro·99.9% uptime SLA