Security
Security built in, not bolted on
Every plan includes every security feature. No enterprise upsell for basic protections.
HMAC-SHA256 Signed Webhooks
Every webhook delivery includes an X-Cue-Signature header containing a SHA-256 HMAC of the request body, signed with your webhook secret. Verify this signature in your handler to ensure the request is authentic and has not been tampered with in transit.
Hashed API Keys
API keys are SHA-256 hashed before storage. The plaintext key is displayed exactly once at creation time. If you lose your key, regenerate it via POST /v1/auth/key/regenerate. Old keys are immediately invalidated.
SSRF Protection
Callback URLs are validated before every webhook delivery. Private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses, and non-routable addresses are blocked. DNS resolution is checked to prevent DNS rebinding attacks.
Replay Protection
Webhook signatures include a timestamp via the X-Cue-Timestamp header. We recommend rejecting any delivery where the timestamp is more than 5 minutes old. This prevents replay attacks where an intercepted payload is re-sent.
HTTPS Only
In production, all callback URLs must use HTTPS. HTTP URLs are rejected at cue creation time. In test mode (cue_test_ keys), HTTP is allowed for localhost development.
Full Audit Trail
Every execution is logged with: delivery timestamp, HTTP response code from your server, number of retry attempts, outcome status, and outcome metadata. Access the full audit trail via the GET /v1/executions API or the dashboard.
Encryption at Rest
All data is encrypted at rest using AES-256. This includes cue configurations, payload data, execution logs, and account information. Database backups are also encrypted.
Encryption in Transit
All API traffic uses TLS 1.2 or higher. HSTS is enforced. Certificate pinning is available for enterprise customers. All internal service communication also uses TLS.
Reporting vulnerabilities
If you discover a security vulnerability, please report it responsibly by emailing security@cueapi.ai. We take all reports seriously and will respond within 48 hours.