Public HTTPS only
Every hostname and redirect is resolved over IPv4 and IPv6. Local, private, reserved, link-local, multicast, and documentation networks are rejected before fetching.
Trust boundaries
CodeRocket accepts arbitrary public site URLs and stores client audit history, so network boundaries and tenant isolation are part of the product—not deployment afterthoughts.
Every hostname and redirect is resolved over IPv4 and IPv6. Local, private, reserved, link-local, multicast, and documentation networks are rejected before fetching.
Supabase RLS scopes user-facing CodeRocket rows to auth.uid(). Internal queue, Stripe event, migration, and heartbeat tables are not exposed to browser roles.
Project tokens and private report tokens are generated from cryptographic randomness. The plaintext is returned once; only a SHA-256 hash remains in the database.
Stripe signatures are verified against the raw payload. Processed event IDs are recorded so webhook retries cannot apply subscription state twice.
Data lifecycle
A worker periodically removes audits older than the owner plan allows: 30 days for Free, 90 days for Personal, and 365 days for Agency. CodeRocket migrations are restricted to the isolated cr_* database namespace and never read or modify tables from the previous product.