Security at Rebirth API

All API traffic is served over TLS 1.2+ (HTTPS). Plaintext HTTP connections are automatically redirected. Certificate management is handled by our edge provider.

Database storage is encrypted at rest using AES-256. Backups are encrypted with the same standard.

User passwords are hashed with bcrypt (cost factor 10) and salted. We never store or log plaintext passwords.

API keys are generated with 32 characters of cryptographic randomness (nanoid). Keys are transmitted only at creation time — dashboard views show only the last 8 characters.

All endpoints enforce IP-based and per-key rate limits. Authentication endpoints have stricter limits (15 attempts per 15 minutes) to prevent brute-force attacks.

All API inputs are validated and sanitized server-side. We use parameterized queries (Prisma ORM) to prevent SQL injection.

Hosted on Vercel's edge network with automatic DDoS protection, WAF rules, and global CDN. Database hosted on managed PostgreSQL with automatic failover.

Principle of least privilege across all infrastructure. Production environment variables are encrypted and accessible only to the deployment pipeline.

Dependencies are regularly audited for known vulnerabilities. We use lockfiles to ensure reproducible, verified builds.

API requests are logged with endpoint, status code, and latency for anomaly detection. We do not log request or response bodies. Real-time monitoring alerts the team to errors and unusual traffic patterns.