Skip to content

Security

Security is fundamental to FixMyWeb. Here is how we protect your data and ensure safe scanning.

HTTPS & TLS Encryption

All data in transit is encrypted using TLS 1.3. We enforce HSTS with preload and automatic HTTPS redirection across all endpoints.

Data Protection

Scanned URLs and accessibility reports are processed in real-time. Free scans are not stored. Pro accounts can opt-in to scan history with data retention policies.

SSRF Prevention

Our scanner validates all target URLs before processing. Internal network addresses, localhost, and private IP ranges are blocked to prevent Server-Side Request Forgery.

Rate Limiting & DDoS Protection

API and scan requests are rate-limited per IP and per account. Free tier: 5 scans/day. Vercel Edge provides automatic DDoS mitigation.

GDPR Compliance

FixMyWeb is fully GDPR-compliant. We provide data export, deletion on request, and transparent data processing policies. We do not sell or share user data.

Security Headers

Strict Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers are set on all responses.

Authentication

User accounts use bcrypt-hashed passwords and secure session tokens. API keys are randomly generated and can be revoked at any time from the dashboard.

Infrastructure

Hosted on Vercel's edge network with global distribution, automatic failover, and SOC 2 Type II compliance. Monitored 24/7.

Report a Vulnerability

If you discover a security vulnerability, please report it via security@fixmyweb.dev. We respond to all reports within 48 hours.