Security
Last updated: March 25, 2026
Manako prioritizes the safety of your data above all else.
Infrastructure
Section titled “Infrastructure”Manako runs on Cloudflare’s global infrastructure. Operating as serverless (Cloudflare Workers) eliminates the need for OS and middleware management, minimizing the attack surface.
| Certification | Scope |
|---|---|
| SOC 2 Type II | Workers, D1, KV, R2, Pages |
| ISO 27001 | Information Security Management |
| ISO 27701 | GDPR-compliant Privacy Management |
| PCI DSS | Workers, KV |
Data Protection
Section titled “Data Protection”Encryption
Section titled “Encryption”| Target | Method |
|---|---|
| At Rest | AES-256-GCM (all D1, R2, and KV data automatically encrypted) |
| In Transit | TLS 1.3 (including all inter-Worker communication) |
| Passwords | PBKDF2-SHA-256 + random salt 16 bytes (100,000 iterations, 256-bit key length, timing-safe comparison) |
Authentication and Session Management
Section titled “Authentication and Session Management”- JWT (HS256): Access token validity 15 minutes, refresh token 7 days
- Refresh token rotation: Old token invalidated immediately upon use, new token issued
- Refresh token storage: Stored in Cloudflare KV with TTL; automatically deleted after expiry
- API Key:
mk_prefix + 64-character HEX; stored as SHA-256 hash; only the first 11 characters of the prefix recorded in DB
Tenant Isolation
Section titled “Tenant Isolation”team_idscope enforced on all database queries- API Keys issued and managed per team
- Access to another team’s data is not possible
Application Security
Section titled “Application Security”Input Validation
Section titled “Input Validation”- Zod schema validation on all API endpoints
- SSRF prevention: Blocks private IPs (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16), localhost, cloud metadata endpoints (169.254.169.254,metadata.google.internal) - HTTP header injection prevention
- XSS escaping (status page SSR)
Rate Limiting
Section titled “Rate Limiting”| Endpoint | Requests | Window | Key |
|---|---|---|---|
Auth (/auth/*) | 10 | 60 seconds | IP address |
Dashboard (/dashboard/*) | 60 | 60 seconds | User ID |
Public API (/api/v1/*) | 60 | 60 seconds | API Key ID |
Webhook Security
Section titled “Webhook Security”- HMAC-SHA256 payload signature verification
- Webhook sending to private IPs and localhost is prohibited (SSRF prevention)
Notification Flap Guard
Section titled “Notification Flap Guard”When frequent status changes (flapping) occur in a short period, notifications are automatically suppressed.
- Threshold: Notifications suppressed after 3 or more status changes within 10 minutes
- Incident determination: Incident created only after 5 consecutive downs
Monitoring Target Security
Section titled “Monitoring Target Security”- HTTP monitoring does not follow redirects (SSRF prevention)
- Monitoring requests include an identifiable User-Agent (
Manako/1.0) - Monitoring is limited to services the customer has authorization for, as required by the Terms of Service
Security Practices
Section titled “Security Practices”- Regular code reviews
- Regular dependency updates
- Access control based on the principle of least privilege
Incident Response
Section titled “Incident Response”In the event of a security incident:
- Rapid identification and containment of the impact scope
- Affected customers are notified within 72 hours
- Incident details and countermeasures are publicly disclosed
Vulnerability Reporting
Section titled “Vulnerability Reporting”If you discover a security issue, please contact us at the address below. We express our gratitude to those who practice responsible disclosure.
- Email: [email protected]