PxShot
Log inSign up free

Security

Last updated: May 2026

Overview

Security is a core part of how PxShot is built. This page documents how we protect your account, your API keys, and the data that flows through the service.

API Key Security

API keys are never stored in plaintext. When you create a key, we immediately hash it with SHA-256 and store only the hash. The raw key is shown to you once at creation time and cannot be retrieved again — if lost, you should delete it and create a new one.

Keys follow the format px_... and are 64 hex characters after the prefix. Treat your API key like a password — do not commit it to source control, include it in public repositories, or log it in application output.

Origin Locking

Every API key can be restricted to one or more allowed HTTP origins (e.g. https://yourapp.com). When an origin lock is set, requests arriving from any other origin are rejected with HTTP 403 — even if the key itself is valid.

Origin locking is the recommended approach when using your API key in client-side JavaScript, browser extensions, or any environment where the key could be observed in network traffic. Configure it from the API Keys tab in your dashboard.

HTTPS Only

All traffic to pxshot.dev — both the dashboard and the API endpoint — is served exclusively over HTTPS. HTTP requests are redirected. TLS termination is handled by Cloudflare, which enforces modern cipher suites and HTTP/2.

Screenshot Data

PxShot does not store the screenshots it captures. The browser rendering process captures the image and streams it directly back to your request. Only metadata is persisted to our database: the target URL, dimensions, format, file size, and capture duration. This metadata is tied to your account and used for usage tracking and rate limiting.

URL logs are retained for 90 days and then purged. You can see a rolling log of your recent captures in the dashboard.

Request Validation

Before any browser is launched, every capture request is validated:

  • The target URL must include a valid protocol (https:// or http://).
  • Requests to private IP ranges (localhost, 192.168.x.x, 10.x.x.x, 172.16–31.x.x, and link-local addresses) are blocked to prevent server-side request forgery (SSRF).
  • Known ad, tracker, and analytics domains are blocked during page rendering to reduce noise and prevent data leakage to third parties.

Password Security

Account passwords are hashed using PBKDF2 with SHA-256, 100,000 iterations, and a random 16-byte salt per password. Plaintext passwords are never stored or logged. Password reset links are single-use and expire after a short window.

Payment Security

All payment processing is handled by Stripe. PxShot never receives or stores raw card numbers, CVV codes, or other sensitive payment details. We store only your Stripe customer ID and subscription ID to manage your plan.

Infrastructure

PxShot runs on a serverless edge platform where each request is handled in an isolated execution environment. There is no persistent server process and no shared memory between requests. The database encrypts all data at rest. Browser rendering runs in an isolated environment that is fully separated from the API layer.

Vulnerability Disclosure

If you discover a security vulnerability in PxShot, please report it responsibly by emailing support@pxshot.dev with a description of the issue and steps to reproduce. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it.

We do not currently offer a bug bounty program, but we will acknowledge and credit researchers who report valid issues in good faith.