Security
Headless Commerce is built with security at every layer. We follow industry best practices and comply with OWASP Top 10, NIST, and SOC 2 standards.Infrastructure
HTTPS Everywhere
All API traffic is encrypted with TLS 1.3. HSTS is enforced with preload, ensuring browsers never connect over plain HTTP.
Data Isolation
Every organization’s data is strictly isolated at the application layer. All database queries are scoped to your store — no cross-tenant access is possible.
Managed Database
Neon PostgreSQL with automated backups, point-in-time recovery, and encryption at rest.
Edge Network
Cloudflare-proxied endpoints with DDoS protection, WAF, and global edge caching for static assets.
Authentication & Authorization
API Key Security
- Hashed storage — API keys are hashed before storage. We never store plaintext keys.
- Key prefixes —
sk_(secret) andpk_(publishable) prefixes make it easy to identify key types and prevent accidental exposure. - Key rotation — Rotate keys instantly from the Dashboard. Old keys are invalidated immediately.
- Scoped permissions — OAuth tokens support 14 granular scopes (
products:read,orders:write, etc.) following the principle of least privilege.
Multi-Factor Authentication
Dashboard accounts support TOTP-based two-factor authentication with backup codes for account recovery.Role-Based Access Control
Team members are assigned roles (admin or member) with appropriate permission boundaries. All actions are scoped to the user’s organization and store.
API Protection
Rate Limiting
Every API endpoint is rate-limited to prevent abuse:| Plan | Limit |
|---|---|
| Free | 100 req/min |
| Starter | 500 req/min |
| Pro | 2,000 req/min |
| Enterprise | Custom |
X-RateLimit-* headers.
Brute Force Protection
Authentication endpoints have additional protection:- Login attempts are limited per IP and per email address
- Exponential backoff on repeated failures
- Account lockout after excessive failed attempts
Input Validation
All request bodies are validated with strict schemas. The API rejects:- SQL injection patterns
- XSS payloads
- Path traversal attempts
- Oversized payloads
Application Security
Security Headers
Every API response includes:CSRF Protection
State-changing operations (POST, PUT, PATCH, DELETE) are protected with a double-submit CSRF token pattern. API key-authenticated requests bypass CSRF since they are not vulnerable to cross-site attacks.SSRF Prevention
Webhook URLs and image URLs are validated to prevent Server-Side Request Forgery:- Private network ranges (RFC 1918) are blocked
- Cloud metadata endpoints are blocked
- Only HTTPS URLs are accepted for webhooks
Cookie Security
Dashboard session cookies are configured with:HttpOnly— not accessible via JavaScriptSecure— HTTPS onlySameSite=Strict— prevents cross-site request attacks- Cryptographic signing to prevent tampering
Monitoring & Audit
Audit Logging
Security-relevant events are logged with risk scoring:- Authentication events (login, logout, MFA, failed attempts)
- Authorization violations
- API key creation, rotation, and deletion
- Rate limit violations and brute force attempts
Error Handling
Production error responses never expose internal details:- No stack traces
- No database error messages
- No internal file paths
- Generic error messages with structured error codes
Dependency Management
- Regular dependency audits (
npm audit) - Automated vulnerability scanning in CI/CD
- No known vulnerabilities in production dependencies
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly:- Email: security@headlesscommerce.io
- Please do not open a public GitHub issue for security vulnerabilities
- We aim to acknowledge reports within 24 hours and provide a fix within 72 hours
We appreciate responsible disclosure and will credit reporters (with permission) in our security advisories.