Last updated: February 16, 2026
Our Commitment to Security
Security is a core principle of Cheesebox. We implement industry-standard security practices and maintain transparency through our open-source codebase. This page outlines our security measures and responsible disclosure process.
Data Encryption
We protect your data using multiple layers of encryption:
- At Rest: AWS credentials are encrypted using AES-256-GCM encryption before being stored in our database
- In Transit: All connections use TLS 1.2+ encryption for data transmitted between your browser and our servers
- Database: All database connections are encrypted in transit
- Your Content: Videos remain in your AWS S3 bucket with your chosen encryption settings (server-side encryption recommended)
Authentication and Access Control
We implement robust authentication mechanisms:
- NextAuth.js: Industry-standard authentication with secure session management
- Password Security: Passwords are hashed using bcrypt with appropriate salt rounds
- OAuth: Google Sign-In support for passwordless authentication
- Session Management: Secure HTTP-only cookies with appropriate expiration
- CSRF Protection: All state-changing requests require valid CSRF tokens
Video Access Control
Cheesebox provides granular permission controls:
- Email Permissions: Videos can be shared with specific email addresses
- Teams: Organization-level access control for group collaboration
- Share Groups: Create custom permission groups for flexible sharing
- Presigned URLs: Temporary, expiring links for secure video access
- HLS Streaming: Video segments use secure, time-limited AWS presigned URLs
AWS Security Best Practices
We follow AWS security recommendations:
- IAM Least Privilege: AWS credentials are scoped with minimal necessary permissions
- S3 Bucket Policies: Buckets are private by default with explicit access controls
- CloudFormation: Infrastructure as Code for consistent, auditable deployments
- MediaConvert: Video transcoding in secure AWS environments
- VPC Isolation: Recommended for production deployments
See our AWS Setup Guide for detailed security configurations.
Application Security
We protect against common vulnerabilities:
- SQL Injection: Parameterized queries via Prisma ORM
- XSS Prevention: React's automatic escaping and Content Security Policy headers
- CSRF Protection: Token-based validation for all mutations
- Rate Limiting: Protection against brute-force and DoS attacks via Upstash Redis
- Input Validation: Zod schemas validate all user inputs
- Secure Headers: HSTS, X-Frame-Options, X-Content-Type-Options
Open Source Transparency
Security through transparency is part of our philosophy:
- Public Source Code: All code is available on GitHub
- Community Review: Security researchers can audit our implementation
- Dependency Management: Regular updates and vulnerability scanning
- Security Documentation: Detailed guides for secure deployment
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue:
- DO NOT disclose the vulnerability publicly until we've had a chance to address it
- Report the issue via GitHub Security Advisories (preferred)
- Or email: security@cheesebox.app (if configured)
- Provide detailed steps to reproduce the vulnerability
- Allow reasonable time for us to investigate and patch
We will acknowledge receipt within 48 hours and provide updates on the remediation timeline.
Security Acknowledgments
We appreciate security researchers who responsibly disclose vulnerabilities. Confirmed issues will be acknowledged in our Security Advisories page (with your permission).
Security Updates
Stay informed about security updates:
- Watch the GitHub repository for security releases
- Subscribe to security advisories via GitHub
- Follow @cheeseboxapp on Twitter for announcements
- Security patches are released as soon as possible
Third-Party Security
We rely on trusted third-party services with strong security practices:
- AWS: SOC 2, ISO 27001, HIPAA compliant infrastructure
- Vercel (hosting): Enterprise-grade security and DDoS protection
- Resend (email): SOC 2 Type II certified
- Upstash (Redis): Encrypted, serverless infrastructure
Compliance and Certifications
While Cheesebox itself is not certified, we build on certified infrastructure:
- AWS infrastructure meets major compliance standards (GDPR, SOC 2, ISO 27001)
- Self-hosting gives you full control for compliance requirements
- Data residency is controlled by your AWS region selection
Security Best Practices for Users
Help keep your account secure:
- Use strong, unique passwords or Google Sign-In
- Enable S3 bucket encryption in your AWS account
- Regularly rotate AWS IAM credentials
- Monitor AWS CloudTrail logs for unusual activity
- Keep your deployment up to date with security patches
- Review video permissions regularly
- Use private S3 buckets with explicit access controls