Protected sign-in
Email/password auth uses normalized identifiers, generic credential errors, throttled failures, signed HTTP-only session cookies, and server-verified Cloudflare Turnstile when production secrets are configured.
AI news radar for buildersSecurity posture
HypeDar is built with layered controls for accounts, Pro entitlements, checkout, provider webhooks, generated content, and browser-facing routes. This page is a public summary of the controls we actively maintain; it is not a guarantee that no vulnerability can exist.
Current assurance
We do not rely on UI state for paid access, billing status, or abuse protection. Sensitive provider credentials stay in private runtime configuration, payment card handling stays with the payment provider, and webhook events must verify before they can change entitlement state.
Email/password auth uses normalized identifiers, generic credential errors, throttled failures, signed HTTP-only session cookies, and server-verified Cloudflare Turnstile when production secrets are configured.
Paid surfaces check the current session and entitlement on the server. Client-supplied user IDs, email addresses, usage counters, and plan state are not trusted for privileged actions.
Checkout and customer-portal routes require authentication, same-origin mutation checks, HTTPS-only provider redirects, sanitized client responses, and explicit opt-in before using emergency live product fallbacks.
Creem webhooks require HMAC verification, event-id idempotency, database-bound writes, and a body-size limit before payload processing.
Premium generated HTML is treated as untrusted and sanitized at the API boundary before browser insertion. Public client rendering paths use escaping or textContent for user-visible data.
Responses include nosniff, frame denial, strict referrer policy, restrictive permissions policy, COOP, HSTS on HTTPS, and CSP report-only coverage for script/frame/connect sources.
No public website can honestly claim perfect security. HypeDar’s security posture is defense-in-depth: reduce realistic abuse, fail closed around payments, keep secrets out of the browser and repository, and verify sensitive state changes on the server.
If you find a vulnerability or account/billing issue, email support@hypedar.dev. Include the affected URL, steps to reproduce, and impact. Do not include secrets, personal data, or destructive payloads in the report.