clicksdk.com

Security

Security at clicksdk.com

We take the security of your data and our infrastructure seriously. This page outlines our practices and explains how to report a vulnerability.

Infrastructure

clicksdk.com runs on a globally distributed edge network. All traffic is served exclusively over TLS 1.2+. Redirect endpoints enforce HSTS with long-lived max-age values and are deployed behind a WAF with rate limiting to mitigate volumetric attacks.

Data protection

  • Passwords are stored as bcrypt hashes — never in plain text.
  • IP addresses captured during click tracking are hashed (SHA-256 with a rotating salt) before persistence. Raw IPs are never stored.
  • Session tokens are HttpOnly, Secure, and SameSite=Lax cookies — not accessible to JavaScript.
  • Database credentials and API keys are stored as environment secrets and are never committed to source control or exposed in logs.
  • All inter-service communication happens over private networking with mutual TLS.

Application security

  • All user-supplied URLs are validated and sanitised before storage to prevent open-redirect abuse and SSRF.
  • Input is validated at every API boundary using strict schema validation.
  • Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers are set on all responses.
  • Admin routes perform server-side session verification — client-side route guards are supplementary only.
  • Rate limiting is applied to redirect, track, and auth endpoints.

Responsible disclosure

If you discover a security vulnerability in clicksdk.com, we ask that you report it to us privately before disclosing it publicly. We commit to acknowledging your report within 48 hours and providing a timeline for resolution.

Please include a clear description of the issue, steps to reproduce, and the potential impact. We will not take legal action against researchers who act in good faith.

Report a vulnerability

Email security@clicksdk.com with subject line [SECURITY].

Scope

In-scope targets for security testing:

  • clicksdk.com (main application)
  • api.clicksdk.com
  • *.clicksdk.com

Please do not perform destructive testing or access other users' data. Automated scanning without prior coordination is out of scope.

Updates

This page was last updated on 20 April 2026. For questions about our security practices, contact security@clicksdk.com.