Security & Trust

Built to be trusted with real data

Security is first-class here, not bolted on afterward. Every user-supplied URL is fetched behind an SSRF-safe pin-IP dialer, everything moves over TLS, access uses scoped API keys, and every webhook is HMAC-signed so you can verify it really came from us.

The pillars

Six things we never compromise

SSRF-safe fetching

Our pin-IP dialer resolves each host once and fails closed if any resolved address is loopback, RFC1918, link-local, ULA, unspecified, multicast, cloud-metadata, or CGNAT. It then dials the pinned IP literal, so DNS rebinding cannot swap it out from under us. The same safe fetch path is shared by every fetch: RSS, HTML diff, one-hop follow, and any user-supplied URL.

TLS everywhere

Every connection is encrypted in transit with automatically renewed TLS certificates. It runs over HTTP/2, which means SSE streams are not capped by the browser's six-connections-per-domain limit.

Scoped API keys

Keys carry least-privilege scopes and can be rotated anytime. Every key has its own rate limits. Keys are hashed at rest and never logged in plaintext.

Signed webhooks

Each webhook carries an HMAC signature over the raw request body plus an event id header, so a receiver can verify a delivery genuinely came from Hypeline. Retries are bounded, so a bad endpoint never triggers an endless storm.

Hardened password auth

Human passwords are hashed with a memory-hard algorithm built for low-entropy secrets, not a fast general-purpose hash. Session, verification, and reset tokens are single-use opaque values, so a replayed token is simply rejected.

Responsible fetching

We respect robots.txt, apply per-host rate limits, and use conditional GET (304) to skip re-downloading unchanged pages. We back off adaptively, honor Crawl-delay and Retry-After, and identify ourselves with a polite user-agent.

For data-specific detail, see our GDPR posture.