Security
How we handle certificates, isolation, and disclosure.
TLS & certificates
- Certificates are issued by Let's Encrypt: HTTP-01 for individual domains, DNS-01 for wildcard zones.
- Renewal is automatic, well before the 90-day expiry. Certificate private keys are stored encrypted on the edge and never leave it.
- TLS is terminated at the edge with modern ciphers; the origin connection is made over HTTPS.
Tenant isolation
- Every domain belongs to exactly one tenant. A hostname can never be registered by two tenants.
- Origins, header rules, and quotas are scoped per tenant.
- ACME accounts are pooled and, for larger tenants, dedicated — so one tenant's issuance volume cannot exhaust another's rate limit.
- Domain ownership is verified (DNS token or points-to-us) before a domain is served, preventing domain takeover.
Data handling
- Proxied traffic transits the edge and is not stored. We do not retain request or response bodies.
- Operational access logs (timestamp, host, status, bytes) are retained for a limited window for debugging and abuse prevention, then deleted.
- Publishable keys used in the browser can only register/read a tenant's own domains and cannot serve a domain until ownership is verified.
Responsible disclosure
If you find a vulnerability, email security@cnames.dev. We investigate every report, do not pursue legal action against good-faith research, and will credit reporters who wish to be acknowledged.
Compliance
SOC 2 is on our roadmap; we will publish status here when the audit is underway rather than before. For data-processing terms, see the Privacy Policy.