Security

BugSnaps is designed around manual capture, private-by-default reports, and narrow extension permissions.

Current Protections

Authentication is handled through Neon Auth and approved password accounts. Sessions use HTTP-only cookies. Mutating dashboard API requests check same-origin headers and use request throttling. Extension capture requests use owner or project-scoped bearer tokens. Public links use unguessable tokens and are revocable.

Production Requirements

Deploy over HTTPS, configure Neon Auth, set strong NEON_AUTH_COOKIE_SECRET and AUTH_SECRET values, configure DATABASE_URL, use private Cloudflare R2 storage for screenshots, and rotate leaked tokens immediately.

Reporting Issues

Send security reports to support@bitforgellc.com.