Security

Last updated: May 26, 2026

---

How we protect your data

Encryption in transit

All traffic between your browser and Modwarden is encrypted via TLS. We enforce HTTPS on every endpoint and reject unencrypted connections.

Encryption at rest

Your data is stored in an encrypted PostgreSQL database and never stored in plaintext or committed to source control.

Authentication

Modwarden uses Google OAuth 2.0 for authentication which don't require passwords. Each login creates a signed, server-side session record tied to your IP address and user-agent. Sessions can be reviewed and revoked from your account at any time.

Access control

Access to workspaces and projects is enforced through a role-based permission system. Workspace data is strictly tenant-isolated, no user can access another workspace's data. All authorization decisions are enforced server-side on every request.

How we scan

Modwarden performs external, non-intrusive scans only. We observe what your domain exposes publicly: HTTP headers, DNS records, TLS configuration, and publicly reachable files without touching your infrastructure, injecting payloads, or requiring any credentials. We do not perform active exploitation of any kind.

Payment security

Payments are processed by Stripe. Modwarden never sees, receives, or stores card numbers or payment credentials. All billing data is handled directly by Stripe's PCI-compliant infrastructure.

Dependency scanning

We routinely audit our own dependencies for known CVEs and keep them up to date.

Reporting a vulnerability

If you discover a security vulnerability in Modwarden, please report it to us privately before disclosing it publicly. Email us at [email protected] with a description of the issue, steps to reproduce, and your assessment of the potential impact.

What to expect

• We will acknowledge your report within 2 business days.
• We will keep you informed as we investigate and work toward a fix.
• We ask that you give us a reasonable amount of time to resolve the issue before any public disclosure.
• We will not take legal action against researchers who follow this process in good faith.

Scope

Reports are welcome for modwarden.com and all subdomains. Please do not test against other users' accounts or data, perform denial-of-service attacks, or attempt to access data you are not authorized to view.

Contact

Questions about these terms? Email us at [email protected].