Security

paperjet treats render isolation, secret hygiene, and supply-chain integrity as non-negotiables. The render path runs in a sandboxed Container with a custom Typst World, a 5-second wall-clock timeout, and OS-level seccomp + landlock + cgroup limits.

Reporting a vulnerability

Email security@paperjet.dev. Acknowledged within 48 h, triaged within 5 business days. Full disclosure policy lives in the SECURITY.md.

What you should know

• API keys hashed with BLAKE3 + constant-time compare on lookup.
• Rate limiting per key in a Durable Object — sliding window, plan-aware.
• HSTS preload (2 years), CSP nonce-based on the dashboard, no unsafe-inline.
• Dependencies pinned to exact versions; weekly Trivy + cargo-audit + bun-audit scans.
• RGPD: IP addresses truncated (last octet zeroed) before persistence; emails masked in logs.