Security at WebSentry

We build a security product — so we hold ourselves to the same standard we measure everyone else by.

HTTPS everywhere
Edge infrastructure
No data selling
Responsible disclosure

Encryption & Transport

All traffic between you and WebSentry is encrypted with TLS 1.2 or higher. HTTP requests are permanently redirected to HTTPS.
HSTS is enforced with a minimum one-year max-age to prevent downgrade attacks.
Authentication tokens and session cookies are set with HttpOnly, Secure, and SameSite=Strict.

Infrastructure

WebSentry runs on a globally distributed edge network with built-in DDoS mitigation and rate limiting. Requests are served from the region closest to the user.
Scan data is stored in a managed, redundant database. We do not operate our own physical servers — all infrastructure is hosted by enterprise-grade cloud providers.
All secrets (API keys, database credentials) are stored in encrypted secret stores, isolated from application code, and never exposed in logs or error output.

Scan Data & Privacy

When you scan a URL, WebSentry makes outbound HTTP requests to the target URL to read public response headers, TLS certificate details, and DNS records — the same information any browser would receive.
We never log, store, or read the content of pages we scan. We only inspect security-relevant metadata (headers, certificates, DNS).
Scan results for unauthenticated (free) scans are retained for 24 hours, then automatically deleted. Authenticated scan history is retained per your plan and can be deleted at any time from your dashboard.
We do not sell, rent, or share scan results or user data with third parties.

Authentication

Passwords are salted and hashed using a strong, slow hashing algorithm before storage. We never store plaintext passwords and cannot recover them.
Login endpoints are rate-limited and protected by Cloudflare Turnstile (CAPTCHA) to prevent brute-force attacks.
Account lockout triggers after repeated failed login attempts. Suspicious activity generates an alert to our team.

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities in WebSentry. If you discover a security issue, please report it privately — do not post it publicly until we've had a chance to fix it.

Report a vulnerability

security@websentry.dev

We aim to acknowledge all reports within 48 hours and provide a fix or mitigation timeline within 14 days. We do not currently offer a bug bounty programme.

Contact

For non-vulnerability security questions — data requests, account security concerns, or compliance enquiries — reach us at our contact page or email hello@websentry.dev.

Last updated: April 2026