Trust and security

Specific boundaries, explained without security theater

ThrottleProxy combines tenant-scoped authorization, token-safe collaboration, destination controls, credential separation, bounded resources, and privacy-aware evidence. This page describes implemented controls—not a compliance certification.

Server-enforced rolesPrivate targets blockedRaw invite tokens not storedReviewed billing activation

Implemented controls

Trust comes from knowing where access stops

These controls reduce common proxy and multi-tenant risks. They do not replace your own application security, provider account controls, incident response, or independent compliance review.

Workspace-scoped access

Authenticated requests resolve an active membership and named server-side permission. Customer resource reads and mutations remain scoped to that authorized workspace.

  • Suspended and non-member access fails closed
  • Cross-workspace resource identifiers do not grant access
  • Platform administration is separate from workspace roles

Invitation token safety

Invitation tokens are single-use, expiring, verified-email bound, and represented in storage only by a SHA-256 hash.

  • Raw token appears only in the immediate no-store handoff
  • Lists and activity never return token hashes
  • Reissue invalidates the previous link

Exact API-key lookup

Presented workspace keys are hashed and resolved through one exact Redis key rather than scanning cached configuration.

  • No Redis KEYS or SCAN authentication path
  • No database fallback for random invalid tokens
  • Deactivation removes the exact cached entry

Destination and SSRF controls

Targets are restricted to approved hostname patterns, safe protocols and ports, and public DNS answers before an outbound connection is made.

  • Local, private, metadata, reserved, and self targets blocked
  • Validated address pinned while TLS uses the intended hostname
  • One-level wildcards remain explicit and narrow

Credential separation

ThrottleProxy authentication credentials, cookies, forwarding credentials, custom proxy headers, and hop-by-hop headers are stripped before upstream forwarding.

  • Inbound Host is replaced with the intended upstream host
  • TLS verification remains enabled
  • Upstream credential storage is not connected

Privacy-safe activity

Workspace activity and operational lifecycle evidence retain bounded, useful context while excluding credentials and raw invitation material.

  • Audit metadata is allowlisted and tenant-scoped
  • Lifecycle events redact headers, query values, email, and raw errors
  • Raw request and response bodies are not diagnostic defaults

Bounded resource use

Request bodies, response streams, concurrency, queue admission, idle time, and absolute duration have explicit limits and cleanup paths.

  • Atomic Redis admission for shared counters
  • Per-key, workspace, target, and global boundaries where applicable
  • Oversized or overdue traffic aborts with safe errors

Reviewed financial boundary

Growth and Scale checkout uses signature-verified Stripe webhooks and reviewed entitlement mapping. Starter and Enterprise remain assisted, and automated usage billing remains disabled.

  • No automatic charge or downgrade
  • Published prices guide plan activation
  • Invitation email delivery also remains manual

Honest launch boundary

Several workflows are intentionally manual or preview-only

Invitation delivery uses a transient manual link. Billing uses manual plan review. Customer request timelines and provider setup remain labeled previews. Global diagnostics stay behind platform-admin and internal-service authorization.