Company
Security
SessionShot handles logged-in sessions and renders private pages, so the platform is designed defense-in-depth: every layer assumes the one before it can fail.
Platform controls
What is built into the capture pipeline today.
Hashed API keys
Only a SHA-256 hash of each key is stored. The full secret exists once, in the creation reveal — it cannot be read back, by anyone.
Domain allowlists
Every capture request is checked against your workspace allowlist before it runs, so a leaked key cannot capture arbitrary sites.
Target URL screening
Target URLs must be HTTPS and are screened server-side against internal and unsafe destinations before a browser ever navigates.
Encrypted capture payloads
Session state in a capture request is handed to the worker over an encrypted, read-once channel and is never displayed in the dashboard.
Private storage
Results are written to private buckets. Nothing is publicly listable or directly addressable.
Short-lived signed URLs
Access to results is only through signed links minted server-side, valid for minutes, re-issuable on demand.
Selector-based redaction
Sensitive elements can be masked in the browser before the output is rendered, so the pixels never exist in the capture.
Worker separation
The browser worker runs as a separate service from the API and dashboard, with its own credentials and no public surface.
Operations
Production secrets (database credentials, service keys, encryption keys) live in the hosting providers' encrypted configuration, are never sent to the browser, and are scoped per service — the dashboard, API, and worker each get only what they need.
What we ask of you
The platform enforces its side; these habits close the rest.
- Store API keys server-side only — environment variables or a secrets manager, never frontend code.
- Never place secrets in URL query strings; use the request auth fields for session state.
- Add only domains you actually capture, and disable ones you stop using.
- Rotate keys immediately if one may have been exposed: revoke in the dashboard, create a new one.
- Treat live signed result URLs as sensitive while they are valid.
Certifications and audits
No certifications are claimed
Related
Found a vulnerability? Please report it responsibly through the contact channel on your private-beta invitation, and see the terms for acceptable-use boundaries.