Dev Platform
Security

Security

How Dev Platform protects your account, your data, and your environments — and how to report a vulnerability.

Honest disclosure

Dev Platform is a home-hosted hobby project built by a single student developer. No formal security audit or penetration test has been performed. The measures below are implemented in good faith, but this service is not suitable for sensitive or production workloads.

Security measures in place

Password hashing

All passwords are hashed with scrypt before storage. Plain-text passwords are never stored or logged.

httpOnly session cookies

Session tokens are stored in httpOnly, SameSite=Strict cookies — not accessible to JavaScript running on the page.

Network isolation

Each environment runs in its own isolated container. Environments are not publicly reachable by default; access requires explicit credentials.

No third-party analytics

No external tracking scripts, analytics SDKs, or ad networks are loaded. Your usage data stays on our server.

Authentication-gated console

All console routes are protected by server-side authentication middleware. Unauthenticated requests are redirected to login.

User-scoped data

Every API endpoint validates the session and scopes reads/writes strictly to the authenticated user. You cannot access another user's environments.

What we do NOT provide

  • TLS termination at the container level (connection strings use the host's TLS).
  • Formal SLA or uptime guarantee — this is home-hosted.
  • Audit logs for compliance frameworks (SOC 2, ISO 27001, HIPAA, etc.).
  • End-to-end encryption of environment data at rest.

If any of these are requirements for your use case, Dev Platform is not the right tool.

Responsible disclosure

If you discover a security vulnerability in Dev Platform, please report it privately before making it public. Responsible disclosure gives us a chance to fix the issue without putting other users at risk.

How to report:

  • Email security@devplat.ch with a description of the issue.
  • Include steps to reproduce, affected endpoint or feature, and potential impact.
  • You will receive an acknowledgment within 72 hours.

We will not take legal action against researchers acting in good faith under this policy. We ask that you:

  • Do not access or modify data that does not belong to your test account.
  • Do not perform denial-of-service attacks.
  • Give us a reasonable timeframe (14 days) to address the issue before disclosing publicly.

Bug bounty

There is no formal bug bounty program. However, significant vulnerabilities that are responsibly disclosed will be acknowledged publicly (with your permission) and may receive a courtesy extension or credit on the service.

Keeping your account secure

  • Use a strong, unique password. A password manager is recommended.
  • Do not share your account credentials with others.
  • Log out of the console when using a shared or public computer.
  • Report suspicious activity immediately to security@devplat.ch.

Contact

Security issues: security@devplat.ch

General support: support@devplat.ch