Security

Updated 2026-05-08

Redline is built and operated by a small team. The security model is intentionally simple — fewer moving parts means less to get wrong. This page is the inventory.

Reporting a vulnerability

Email security@theredline.app before disclosing publicly. We acknowledge within 48 hours on weekdays. The same contact is published at /.well-known/security.txt per RFC 9116.

Hosting + storage

  • Server: a single Hetzner box (Falkenstein, Germany), Docker behind Traefik with automatic Let’s Encrypt TLS via DNS-01.
  • Database: Postgres 16 in the same Docker network, backed by a persistent Hetzner volume. Encrypted at rest by Hetzner’s underlying storage.
  • Snapshots + uploads: stored on a persistent Docker volume on the same box. Static-HTML zips are extracted with path-traversal + zip-bomb guards.
  • Backups: nightly volume snapshots; off-host copy weekly.

Auth + sessions

  • Magic-link only via better-auth. No stored passwords. Sign-in tokens are single-use and expire in 15 minutes.
  • Session cookies: signed with a server-side secret, set Secure + HttpOnly + SameSite=Lax. Cross-subdomain cookies for studio surfaces.
  • Session list: every signed-in user can review + revoke their own sessions from /settings.
  • 2FA / passkeys are on the roadmap pending better-auth fork support.

What we send + to whom

  • Resend — outbound transactional email (magic links, redline-arrived, bug-changed). Subject + body content only.
  • Anthropic — only when you click ✦ Digest; one inference call per generation, comments + reviewable name only. We do not stream snapshot bytes.
  • Slack — when you wire a webhook on /settings; per-action notifications. Webhook URLs are validated against hooks.slack.com at write time.
  • Swipe — payment processing for paid plans. We never see card or wallet details; only a transaction reference.

Application controls

  • Tenant isolation: every studio surface enforces requireStudioMember() with a row-level membership check. Cross-studio data access is impossible by construction (queries always scope by studio_id).
  • Public surfaces (/r/<token>, /b/<token>, /p/<token>) gate by a 132-bit random share-link token; the token never appears in any default email or page that’s indexable.
  • Audit log: every mutation is recorded with actor, action, target, and timestamp. Owner can export their studio’s log as JSON.
  • CSV exports: cell content is escaped with the leading-quote rule per OWASP CSV-injection guidance; uploaded zips are capped at 5,000 files + the studio’s tier byte cap.
  • Rate limiting: comment intake and public bug intake are IP-throttled to prevent fanout abuse.

Reporting our claims, not yours

We’re not SOC2-audited yet. Everything above is true and verifiable; if you need a formal Data Processing Addendum, see /dpa. For everything else, the privacy policy at /privacy is authoritative.