Live · externally verified

Security posture.

Mozilla Observatory · A+ · 125 API · A+ · 130

Transport

HTTPS only. Strict-Transport-Security with max-age=31536000; includeSubDomains; preload.
HTTP requests are 301-redirected to HTTPS at the Cloudflare edge.
HSTS preload submission has been made; once accepted, browsers will refuse cleartext HTTP for tdoc.xyz before any DNS lookup happens.

Headers

Content-Security-Policy with no unsafe-eval, no inline scripts, allowlisted connect-src and font-src.
X-Frame-Options: DENY + CSP frame-ancestors 'none' — clickjacking defence.
X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy revokes camera, geolocation, payment, microphone, USB, and other powerful APIs by default.
Cross-Origin-Opener-Policy: same-origin, Cross-Origin-Resource-Policy: same-origin.

API surface

Per-IP and per-key token-bucket rate limiting (RateLimitMiddleware).
32 MiB body cap globally; 5 MiB cap on the unauthenticated demo endpoint.
Bearer-token API keys; constant-time comparison via hmac.compare_digest.
Signed Lemon Squeezy webhook with HMAC-SHA256 verification (constant-time).
Audit logs include only the first 8 characters of any API key, never the full value.
Errors are normalised to a stable {"error","request_id"} shape — no stack traces, no internal paths.

The `/try` demo

The HTML preview from a user-uploaded document is rendered inside an <iframe sandbox=""> with no permissions — no scripts, no same-origin, no network. Any future renderer bug cannot become an XSS vector on tdoc.xyz.
Document content is processed in the same request and discarded. No storage.

Threat model

The full threat model and its mitigations are tracked in the public repository at THREAT_MODEL.md. The incident response runbook is at INCIDENT_RESPONSE.md.

Reporting a vulnerability

Email hello@tdoc.xyz with a subject line beginning SECURITY:. We respond within 72 hours during the beta. Please give us at least 30 days to fix before public disclosure. We do not yet run a formal bounty program; we acknowledge contributors in the changelog and on this page once the first valid report lands.

Last reviewed: 26 April 2026.