Security at Code-X
We take the handling of your source code seriously. Here is what protects it.
- Submitted code is never executed - not in a shell, interpreter, browser, container, or sandbox.
- Passwords are hashed with Argon2id; sessions are server-validated, httpOnly, secure, SameSite cookies.
- Submitted source code is encrypted at the application layer (AES-256-GCM) before it touches the database.
- Automated secret scanning blocks submission if likely API keys, passwords, or credentials are detected.
- The AI system prompt explicitly instructs the model to treat submitted code as untrusted data, never as instructions - protecting against prompt-injection attempts hidden in comments or strings.
- Rate limiting on authentication, submissions, and email sending. Account lockout with progressive delay on repeated failed logins.
- Server-side ownership checks on every review and report - users cannot access another user's or organisation's data.
- Platform administrators cannot casually view submitted private code - access is restricted and audited separately from routine admin metrics.
- Structured audit logging of authentication, submissions, admin actions, and security-relevant events. Secrets, passwords, and full submitted code are never written to ordinary logs.
- Secure report share links are revocable and expire automatically.
No platform can guarantee code is bug-free or fully secure. AI-generated recommendations should always be reviewed by a qualified developer before production use.