Login Get API Key

Security

Last updated: May 1, 2026

Security is a first-class concern at RiskMail. This page describes our practices for protecting your data and the integrity of the API.

Infrastructure

  • All API traffic is served over TLS 1.2+. HTTP connections are redirected to HTTPS.
  • Servers are hosted on Hetzner Cloud (EU) and Fly.io with private networking between services.
  • Database backups are encrypted at rest and stored in a separate region.
  • Secrets (database credentials, Stripe keys, SMTP passwords) are injected as environment variables and never committed to version control.

API Keys

  • API keys are stored as bcrypt hashes in the database — we cannot retrieve your key after creation, which is why we ask you to copy it immediately.
  • Keys can be scoped to specific CIDR blocks for additional restriction.
  • Unused keys can be disabled or deleted at any time from the dashboard.
  • Failed authentication attempts are rate-limited and logged.

Authentication

  • Dashboard passwords are stored as bcrypt hashes with a cost factor of 12.
  • Session tokens are stored server-side and expire after 7 days of inactivity.
  • Password reset tokens are single-use and expire after 1 hour.
  • Email verification is required before API access is granted.

Data Handling

  • API request logs (domain, timestamp, key ID, response code) are retained for 90 days.
  • We do not log full email addresses in persistent storage — only the domain part for risk analysis.
  • Submitted data is never used to train models that could be exfiltrated via API responses.

Application Security

  • All HTML output is auto-escaped by Go's html/template package (XSS protection).
  • SQL queries use parameterised statements (no string concatenation).
  • CSRF protection is enforced on all state-changing POST endpoints.
  • Content-Security-Policy, X-Frame-Options, and other security headers are set on all responses.
  • Dependencies are reviewed and updated regularly; we track CVEs via automated tooling.

Responsible Disclosure

If you discover a security vulnerability in RiskMail, please report it to [email protected]. We ask that you:

  • Give us reasonable time (typically 90 days) to address the issue before public disclosure
  • Not access or modify data belonging to other users
  • Not perform denial-of-service testing against production systems

We will acknowledge your report within 2 business days and work with you to understand and resolve the issue. We currently do not offer a formal bug bounty program but we deeply appreciate responsible disclosure.

Contact

Security concerns: [email protected]