Security

xhr.dev takes data security and privacy seriously. This page provides general information about our data practices to give you confidence in how we secure your data.

Data Center Security

The xhr.dev API service infrastructure is hosted on Amazon Web Services (AWS)

The xhr.dev API connect front-end application is hosted on Railway.app and Fly.io.
The dev front-end application is hosted on Cloudflare Pages

We follow AWS best practices which allows us to take advantage from their secured, distributed, fault tolerant environment. We also leverage other cloud providers for frontend hosting to improve performance and scalability.

To find out more information about AWS security practices, see: https://aws.amazon.com/security

Failover and Disaster Recovery

Our infrastructure and systems uses serverless AWS services, which provide high availability
Example of serverless services used in the xhr.dev architecture: AWS ECS Fargate, AWS CloudWatch, AWS CodePipeline

AWS itself will manage availability within regions for its services

All of the application service infrastructure, as well as the underlying AWS infrastructure, is codified

In the highly unlikely event that an AWS region is down, a redeployment to a different region is a simple task, due to all of the infrastructure being codified

Data Storage and Retention Policies

We only store the email we receive during login, and associate that with your Stripe subscription which allows you to pay for and provision an API key
Authentication is done via Google OAuth and managed by Supabase

Encryption

Traffic between you or customers and the xhr.dev API application is encrypted in-transit with TLS

Source Code

Application infrastructure is codified via aws-cdk, and AWS infrastructure is codified via org-formation
Code is hosted and managed on GitHub.
Test coverage for all xhr.dev API source code repositories is 81% as of February 2025
Dependencies are kept up to date automatically with dependabot
Access to source code is secured with two-factor authentication

Caching

There is no caching

Logging

Log retention period is 2 weeks
Normally only URLs are logged; not request payloads nor response bodies
Response bodies are logged when an error is detected (such as a captcha challenge that was not solved), for debugging

Internal IT Security

Access to AWS infrastructure and source code requires two-factor authentication
Employees are given lowest level access necessary
Employee contracts include confidentiality agreements

Third Party Systems

We use Sentry for error alerting with data scrubbing enabled
We occasionally use oxylabs.io proxies & residential IP addresses. Oxylabs.io's privacy policy: https://oxylabs.io/legal/privacy

We utilize various captcha solving services to automatically solve CAPTCHAs encountered during data extraction. These services include Anti-Captcha, CapMonster, CapSolver, and 2Captcha.

Payments

Payment data is not transmitted through nor stored on xhr.dev systems
Payments are processed using PCI Compliant service providers via Stripe
Stripe is certified to PCI Service Provider Level 1

Responsible Disclosure

If you have discovered a vulnerability in the xhr.dev application or services, please contact us at mailto:security@xhr.dev.

Contact Us

If you have any questions, please contact us at dev@xhr.dev

Security ​

Data Center Security ​

Failover and Disaster Recovery ​

Data Storage and Retention Policies ​

Encryption ​

Source Code ​

Caching ​

Logging ​

Internal IT Security ​

Third Party Systems ​

Payments ​

Responsible Disclosure ​

Contact Us ​