Security

Pointing a 5-minute-interval probe at someone else's site is — at best — surveillance, and at worst a reflective load-tool we'd be footing the bandwidth for. Before we activate continuous monitoring on the paid tier, we require proof that you own the domain. Three methods are accepted; pick the one that fits your hosting setup.

• DNS TXT record at _web-down-verify.<your-domain>— strongest signal, recommended for anyone with DNS panel access (Cloudflare, Route53, registrar panel).
• HTTPS file at /.well-known/web-down-verification/<token>.txt— for users who deploy code or have file-system access (Vercel, Netlify, Hostinger, AWS, your own VPS).
• HTML meta tag in <head> on your homepage — for no-code users (Webflow, Framer, Wix, Squarespace, WordPress.com).

Verified domains stay verified across monitor lifecycle — adding a second monitor under the same domain skips the flow. Weekly background re-checks confirm the verification record is still in place; if it's removed, monitors auto-pause after a 28-day grace period (with a 21-day warning email). Every verification attempt — success or failure — is logged for audit. Rate-limited at 10 attempts per domain per hour.

The free homepage one-shot check (web-down.com/check/) is unaffected — single fetch, IP-prefix rate-limited, doesn't activate continuous polling. Verification only applies to paid continuous monitors. Public infrastructure (github.com, vercel.com, openai.com, …) is excluded entirely from paid monitoring; those live on the free SEO surface.

See the full domain verification guide for the per-method instructions.

• Magic link via email — links expire in 10 minutes and are single-use. Sent from noreply@web-down.com with SPF, DKIM, and DMARC aligned on the sending domain.
• GitHub OAuth and Google OAuth — minimum scopes (read:user, user:email for GitHub; openid profile email for Google).
• Account linking— magic link and OAuth on the same email auto-link to one account, so you can't accidentally end up with two duplicate accounts.
• Sessions— managed by Better Auth, stored as HTTP-only Secure SameSite=Lax cookies. No client-side token storage, so XSS can't steal a session.
• No password reuse risk— because we don't accept passwords. If your email or OAuth account is compromised, that's a problem upstream of us; we don't store credentials that could be re-played anywhere else.

• No IP addresses logged. For free-tier rate limiting we salt-and-hash an IP-prefix with the current hour; the hash is one-way and discarded after 60 minutes. Nothing in our database can be reversed to identify a free-tier visitor.
• No tracker pixels. Our own self-hosted analytics (simple analytics) is the only analytics, opt-in via the GDPR cookie consent. No Google Analytics, no Facebook Pixel, no Hotjar, no LinkedIn Insight tag. Ever.
• Data location. Our database is self-hosted PostgreSQL on a Hostinger VPS in Belgium — your data lives on our own server in Europe and never leaves it. Polar.sh holds payment data (PCI scope, EU regulated). The Next.js app and monitoring workers run on the same Belgian VPS.
• Encryption in transit. TLS 1.2+ on every public hostname (web-down.com, admin.web-down.com), Let's Encrypt certs renewed automatically via Traefik. HSTS preloaded.
• Retention.Per-check history retained 30 days. Daily aggregate metrics retained indefinitely (small per-row footprint, useful for trend analysis). Account deletion fully purges monitors, results, incidents, AI reports, anomalies, and subscriptions — runs synchronously when you click “Delete account” in settings.
• No third-party data sale. We don't share, sell, or rent data to anyone. Subprocessors listed below are operationally necessary and named explicitly.

Adding a subprocessor materially increases our data exposure, so we notify in the dashboard and via email at least 14 days before activation when one is added. You can cancel before the change takes effect.

• Reverse proxy. Traefik terminates TLS and routes to two Next.js + worker containers (web-down-app, web-down-monitoring-worker), no direct VPS port exposure besides 80/443.
• Admin surface isolation. admin.web-down.com is a separate subdomain. Middleware redirects every non-admin path on that host back to the main site, marks every admin response X-Robots-Tag: noindex, nofollow, and the admin pages themselves enforce a three-layer auth gate (env var allowlist + Better Auth session check + database query-level re-check).
• Single-operator access. One person (flndrn) holds production credentials. No shared admin accounts, no contractor logins, no support staff with database access. Reduces blast radius of any one credential compromise.
• Backups. The PostgreSQL database is self-hosted on the VPS and covered by daily Hostinger VPS snapshots. Restores are tested by spinning up a copy quarterly (next scheduled: Q3 2026).
• Dependency hygiene.npm audit + Renovate-style review on a 14-day cadence. We don't pin@latest on direct deps; lockfile is committed and reviewed on each change.

• GDPR. Operated under Belgian/EU jurisdiction. Lawful bases: contract (paid accounts), consent (analytics, marketing), legitimate interest (free-tier abuse prevention via rate-limited IP hashes). Data subject rights (access, rectification, erasure, portability, restriction) are honored — see Privacy Policy for the formal flow.
• EU VAT directive.Polar.sh handles the billing side as our merchant of record — VAT calculated and remitted per the customer's billing country, with a valid invoice issued for every charge.
• KYC for paid customers. Billing address, date of birth, and country of birth are collected on settings — required for EU customer-identification rules. Stored in the same database as account data, accessed only by the operator, never used for marketing.
• No US-style data export. Customer support, account data, and the monitoring database all stay in the EU — the database is self-hosted PostgreSQL on our Belgian VPS, not a US-hosted cloud service.

• In scope: web-down.com, admin.web-down.com, the application backend, monitor worker, public APIs.
• Out of scope: third-party services we use (report directly to them), denial-of-service attacks, social engineering of the operator, physical attacks on data-center hardware.
• How to report: use the contact form with subject tag #bugand “security” in the message. We'll acknowledge within two business days, work with you on a fix, and credit you in the release notes if you'd like.
• Bounty program:we don't run a paid bounty program at this stage of the business — we're a single operator without budget for it. We'll send a sincere thank-you, public credit, and a free year of Pro for material findings. As revenue grows we'll formalize this with a real bounty schedule.
• Safe-harbour.Good-faith security research that respects scope and doesn't access user data beyond what's needed to demonstrate the issue will not be pursued legally. If a finding requires touching user data, stop and ask first.