DeployDoc reads deployment errors and configuration files. By definition, those files contain sensitive material. Every paste is treated as untrusted until proven safe — and most of the work happens before anything leaves your browser.
Secrets matching known API key patterns are detected and masked locally before a single byte leaves your machine.
Pattern set covers AWS, GCP, Stripe, Supabase, OpenAI, GitHub, Slack and 40+ others. Updated weekly.
Request bodies are processed in memory and discarded. Only the redacted metadata required to render your report is persisted.
No raw error logs. No raw env files. No raw config. Ever.
The edge layer scans outbound log lines and drops anything that still contains an unmasked secret — a backstop in case redaction was bypassed.
Enforced at the worker boundary, not the application layer.
Every paste shows a preview of which values are about to be redacted. You decide whether to send, edit, or cancel.
Nothing is silent. Nothing is automatic without your confirmation.
When DeployDoc suggests an env var, the guidance explicitly states whether it is safe in client code or must remain server-side.
VITE_, NEXT_PUBLIC_ and equivalent client-exposed prefixes are flagged distinctly from server-only secrets.
When DeployDoc probes a URL on your behalf, the server-side fetcher blocks localhost, private IP ranges, link-local addresses, cloud metadata endpoints, and non-http(s) schemes. Every redirect hop is re-validated against the same denylist.
DNS is resolved server-side; redirected hosts that resolve to a private IP are refused before any byte is read.
Configs and logs you upload go to a private Supabase Storage bucket. We never generate a public URL. Reads use short-lived signed URLs (60 seconds), gated by Storage RLS plus a metadata-row RLS check.
Raw files are deleted automatically after we extract and re-redact the text, unless you explicitly opt to keep the original.
Provider tokens — Vercel, Netlify, Cloudflare, Supabase — are encrypted at rest with per-workspace keys and scoped to the minimum permissions we need.
You can revoke any integration from the workspace settings at any time.
Every response carries a CSP with a strict connect-src allowlist, frame-ancestors 'none', object-src 'none', base-uri 'self', form-action 'self', and SHA-256 hashes for our own static inline scripts. Violations are reported to our own endpoint and logged for review.
Nonce-based script allowlisting is tracked as post-launch hardening pending stable framework support; CSP_REPORT_ONLY=1 remains as a documented rollback flag.
If you believe you have found a security issue, email support@deploydoc.com. We acknowledge within one business day and credit researchers in our public changelog.