Infrastructure security
Cloud hosting
DomainGuard runs on Railway's managed cloud infrastructure with automatic security patching, DDoS protection, and 99.9% uptime SLA.
Encrypted in transit
All data between the browser extension, admin console and API is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
Cloudflare protection
All traffic passes through Cloudflare's global network providing DDoS mitigation, WAF protection, and bot filtering before reaching our servers.
Database security
PostgreSQL database with encrypted connections, prepared statements to prevent SQL injection, and automatic backups with point-in-time recovery.
Authentication security
- Passwords stored using bcrypt with cost factor 12 — never stored in plaintext
- API tokens stored as SHA-256 hashes — plaintext shown only once at creation
- Short-lived JWT tokens with 1-hour expiry for extension authentication
- 8-hour admin session JWTs with automatic expiry
- Azure AD / Microsoft SSO support — delegate authentication to your identity provider
- Rate limiting on all authentication endpoints — 20 requests per 15 minutes
- Token revocation — API tokens can be revoked instantly from the admin console
Data isolation
Every organisation's data is strictly isolated. Our multi-tenant architecture ensures:
- All database queries are scoped to the authenticated organisation's ID
- API tokens are cryptographically bound to a single organisation
- Admin console users can only access their own organisation's data
- Super admin access is restricted to designated DomainGuard staff only
- Impersonation sessions are logged and time-limited to 2 hours
Extension security
- Built on Chrome Manifest V3 — the most secure extension standard
- Service worker architecture — no persistent background pages
- Content scripts are sandboxed and cannot access the API token directly
- Only the background service worker communicates with the API
- No browsing history, passwords or personal data is ever transmitted
- Deployed via MDM managed storage — token is read-only to the extension
Responsible disclosure
Found a security vulnerability?
We take security reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.
Report vulnerabilities to: security@domainguard.co