Security

At WebSandbox, the security of your code, environments, and personal data is our highest priority. We have architected our platform with a defense-in-depth approach, ensuring that whether you are running lightweight WebContainers or dedicated backend servers, your environment remains isolated and secure.

Our platform utilizes two primary models for code execution, both designed with strict security boundaries:

• Browser-Native WebContainers: Code executed via our WebContainer environments runs entirely within your browser tab. It leverages modern web security standards (like Cross-Origin Isolation) to ensure that the Node.js processes have zero access to your local machine or our backend infrastructure.
• Dedicated Cloud Instances: For heavier workloads, we spin up isolated Docker containers orchestrated on our self-hosted Virtual Private Servers (VPS) managed by Coolify. Each workspace is sandboxed, preventing cross-tenant access or network leakage.

We handle your data with the utmost care, ensuring encryption and strict access controls:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using industry-standard TLS.
• Self-Hosted Infrastructure: Our core databases (PostgreSQL) and caches (Redis) are hosted on our dedicated VPS managed via Coolify. This allows us to maintain complete control over the data lifecycle without relying on shared, managed database platforms.
• Authentication: We use secure, industry-standard authentication patterns, ensuring that your sessions and API tokens are heavily guarded against interception.

We deeply value the work of the security research community. If you discover a vulnerability in WebSandbox, we ask that you practice responsible disclosure by reporting it to us privately before making any public announcements.

We will respond promptly to investigate and patch the issue, and we will gladly acknowledge researchers who help us protect our users.