Security

We support OAuth 2.0 via GitHub and Google. Password-based auth uses bcrypt with a cost factor of 12. Sessions are managed via secure, HTTP-only cookies with CSRF protection.

• / Input sanitization on all API endpoints
• / Rate limiting via Upstash Redis (100 req/min per user)
• / CORS restricted to verified origins
• / Content Security Policy headers
• / Automated dependency vulnerability scanning
• / Server-side rendering prevents XSS in diagram content

Archway runs on Vercel's edge network with automatic DDoS protection. Database hosted on MongoDB Atlas with network isolation and IP allowlisting. All infrastructure components are deployed in SOC 2 Type II compliant environments.

Each user's diagrams are isolated at the database level with ownership-based access controls. Team/shared access uses role-based permissions (owner, admin, editor, viewer). Share links use cryptographically random tokens with configurable access levels.

We maintain an incident response plan for security events. Critical vulnerabilities are patched within 24 hours. Users are notified of any data breaches within 72 hours per GDPR requirements.

If you discover a security vulnerability, please report it to security@archdiagram.dev. We appreciate responsible disclosure and will acknowledge your report within 48 hours.