Loading…
サイト診断はあなたのウェブサイトの『公開情報』のみを対象とします。それでも、私たちは多層的なセキュリティで顧客データを保護します。
最終更新:2026年5月
Every URL is validated synchronously before reaching the Celery queue: scheme whitelist (http/https only), full block on private IP ranges (RFC1918, loopback, link-local, and the AWS EC2 metadata endpoint 169.254.169.254), and DNS re-resolution at Playwright load time to defeat TOCTOU attacks.
User-owned data is isolated at the database layer using PostgreSQL Row-Level Security (RLS), with an ownership check repeated at the API layer. If application code regresses, RLS remains the backstop — never our only line of defence.
Passwords are hashed with bcrypt (cost factor ≥12). Access JWTs are short-lived (15 min); refresh tokens are 30-day, single-use, and rotated on every refresh — theft detection invalidates the entire token family. Platform admins require TOTP MFA; enterprise users get SAML 2.0 SSO.
TLS 1.2+ in transit. At rest: AWS RDS transparent encryption (TDE) and S3 server-side encryption (AES-256). API secrets live in AWS Secrets Manager — never in the codebase.
Playwright scans run in isolated ECS Fargate micro-VMs — one per scan — torn down on completion. Resource limits (CPU, memory, network) are enforced to contain malicious sites and prevent lateral movement.
Every request emits structured JSON logs (scan_id, hashed user_id, pillar, duration, cache_hit, error_code). Platform-admin actions land in an immutable audit table. Errors flow to Sentry; traces to AWS X-Ray.
Japan's Act on Protection of Personal Information (post-2022 amendment).
EU General Data Protection Regulation — for EU-based visitors.
Our own UI meets WCAG 2.2 AA. axe-core runs as a CI gate.
Threat model baselined against OWASP Top 10 (2021).