Skip to content

Security at CaptureAPI

Security is not an afterthought — it is built into every layer of CaptureAPI. From encrypted communication to zero data retention, here is how we protect your data and your users' privacy.

HTTPS Only

All communication with CaptureAPI uses TLS 1.3 encryption. API keys, request payloads, and response data are encrypted in transit. We enforce HSTS preloading to prevent downgrade attacks.

Zero Data Retention

Screenshots and PDFs are generated in isolated, ephemeral containers and deleted immediately after delivery. We never store, cache, or log captured content. Once your API response is delivered, the rendered output is permanently erased.

SSRF Protection

Our rendering engine validates all target URLs before processing. Requests to private IP ranges (10.x, 172.16.x, 192.168.x), localhost, link-local addresses, and internal cloud metadata endpoints are blocked. We maintain a continuously updated deny-list.

Rate Limiting

Every API key is subject to per-second and per-month rate limits based on your plan. Rate limiting prevents abuse, protects shared infrastructure, and ensures fair usage. Limits are enforced at the edge via Redis-backed counters with sub-millisecond latency.

Isolated Rendering

Each screenshot and PDF is rendered in a sandboxed, single-use Chromium instance. Instances are destroyed after each request, preventing cross-request data leakage. Browser processes run with restricted permissions and no network access to internal services.

GDPR Compliance

CaptureAPI is hosted on EU infrastructure and follows GDPR data processing principles. We act as a data processor on your behalf: we process only the data you send, retain nothing after delivery, and provide transparent data handling documentation.

API Key Security

API keys are hashed with SHA-256 before storage and never logged in plaintext. Keys are displayed only once at creation time. You can revoke and regenerate keys instantly from the dashboard. We recommend storing keys in environment variables.

Audit Logging

All API requests are logged with timestamp, endpoint, response code, and latency. Logs are available in your dashboard for debugging and usage monitoring. We never log request bodies, target URLs, or rendered content.

Enterprise Security

For organizations with stricter compliance requirements, the Enterprise plan includes additional security capabilities:

  • Dedicated rendering infrastructure — your screenshots never share resources with other customers
  • Custom data retention policies with signed deletion certificates
  • IP allowlisting — restrict API access to your known server IPs
  • SOC 2 Type II compliance report available on request
  • Signed webhook payloads with HMAC-SHA256 verification
  • Priority vulnerability disclosure and patching SLA

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly via email. Do not open a public GitHub issue.

Report a vulnerability

security@captureapi.dev

Ready to get started?

Try CaptureAPI free with 50 screenshots per month. No credit card required.

Get Free API KeyRead Docs