AI-targeted captures now in preview — describe any page section, get the exact crop.

See how it works
ScreenshotFreeAPI
Start free
Security

Built for untrusted URLs,
team access, and
production workloads.

ScreenshotFreeAPI assumes that submitted URLs are hostile, output files are sensitive, and teams need scoped access. Every control in the system starts from that assumption.

Start buildingRequest security review
SSRF Protection
Isolated Contexts
bcrypt API Keys
Signed Links
Security model

Four layers, zero assumptions.

Input validation, execution isolation, key management, and output protection are designed as independent, overlapping controls.

01SSRF blocklist

Input sanitisation

Every URL submitted to the capture engine passes through a strict SSRF blocklist before Playwright navigation. Localhost, metadata services (169.254.169.254), private ranges (10.x, 172.16–31.x, 192.168.x), and IPv6 loopbacks are all rejected at the schema-validation layer — not just in the worker.

02Per-job contexts

Execution isolation

Each screenshot job receives its own Playwright BrowserContext, created from a shared Browser pool. Cookies, storage, service workers, and any prior state are completely absent. Contexts are destroyed immediately after the capture completes — no carryover between jobs or tenants.

03bcrypt + prefix

Key management

Raw API keys are shown exactly once at creation time and never stored again. The database holds only a bcrypt hash alongside a non-secret prefix (e.g. sfa_a3f2b1) for O(1) key lookup. Timing-safe comparison is used on every authentication check to prevent timing oracle attacks.

04HMAC signatures

Output security

Screenshot files are delivered through HMAC-signed URLs (S3 presigned or local HMAC tokens) that expire on a configurable TTL. Webhook deliveries include an X-ScreenshotFree-Signature header for HMAC-SHA256 payload verification. Public bucket access is never used.

Technical controls

Every control, documented.

The full set of mechanisms active on every API request and capture job.

Private IP protection

SSRF rules block localhost, metadata, and private network ranges.

Hashed API keys

Raw keys are shown once and stored with bcrypt hashes.

Isolated browsers

Every job receives its own Playwright browser context.

Signed asset links

HMAC and presigned URLs protect screenshot delivery.

Structured logs

Pino logs track job state, retries, storage, and webhook delivery.

Workspace roles

Owner, admin, member, and viewer controls prepare the app for teams.

Data handling

Your data, your rules.

ScreenshotFreeAPI applies strict data minimisation across the capture pipeline — no raw keys, no persistent screenshot content beyond your configured TTL.

  • Screenshots are stored only for the duration you configure. Default TTL is 24 hours on the Free tier.
  • All data in transit is encrypted via TLS 1.2+. S3-compatible storage uses server-side encryption (SSE-S3 or SSE-KMS).
  • Raw API keys are never written to database rows, logs, or error reports.
  • Pino structured logs record job state, retry counts, and webhook delivery status — never request bodies or screenshot content.
  • Workspace role separations (Owner, Admin, Member, Viewer) scope key creation and billing access at the database level.
Data categoryRetentionProtection
API keysUntil revokedbcrypt hash only
Screenshot filesConfigurable TTLTLS + SSE at rest
Job records90 daysTLS + DB encryption
Webhook logs30 daysTLS
Billing events7 yearsTLS + PCI scope
Structured logs14 daysTLS
Talk to us

Security questions before you commit?

We are happy to walk through the threat model, review your access control requirements, or provide a completed security questionnaire.

Contact the teamRead security docs