Security
Security Policy
Last updated: July 10, 2026
Reporting a vulnerability
If you discover a security vulnerability in Alpha or any of DragonMeta's products, please report it to us. We read every report.
Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- A suggested fix, if you have one
A machine-readable contact file is also available at /security.txt.
Security measures
Input validation
- All user inputs are sanitized and validated
- SQL injection prevention via prepared statements
- XSS protection through output escaping
Security headers
Content-Security-Policy locked to same-origin sources
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN / frame-ancestors
Referrer-Policy: strict-origin-when-cross-origin
- A restrictive
Permissions-Policy
Rate limiting
- Per-IP rate limiting on API endpoints
- Timeout mechanisms for external requests
Data protection
- Browser-specific conversation isolation via an
httpOnly, SameSite=Strict owner cookie
- Generated images are never stored on disk
- Secure session management
Access control
robots.txt for crawler management
.htaccess for file protection; sensitive file access denied
Responsible disclosure
- Report received and acknowledged within 24 hours
- Investigation and fix development
- Security patch released
- Public disclosure after the fix is deployed
Legal notice
Unauthorized access to computer systems is illegal. Please test only against your own accounts and data, and report what you find rather than exploiting it.