Security & Sandbox Limitations

BetaWindow captures sensitive data (network logs, console output) on behalf of job creators. This page explains how we handle that data, what protections are in place, and what the sandbox cannot do.

Tester sandbox

Each testing session runs in an isolated Chrome browser context (separate profile, no shared cookies or storage). The browser is instrumented via a content script that intercepts:

  • All XHR / fetch network requests (URL, method, status, response size, timing)
  • Browser console messages (log, warn, error, debug)
  • Unhandled JavaScript errors (uncaught exceptions + promise rejections)
  • Page navigation events (route changes, full-page loads)

Response bodies are not captured by default. Only headers, status codes, and latency are logged. If you want response body capture for debugging, you can opt in per-job — response bodies are stored encrypted and auto-deleted after 7 days.

URL allowlist policy

The BetaWindow proxy only forwards requests to publicly reachable HTTPS URLs. The following are blocked:

  • file:// URLs — filesystem access is prohibited
  • Private IP ranges: 10.x.x.x, 172.16–31.x.x, 192.168.x.x
  • Loopback: 127.0.0.1, localhost, ::1
  • Link-local: 169.254.x.x
  • Cloud metadata endpoints: 169.254.169.254 (AWS/GCP/Azure IMDS)
  • http:// plain-text URLs (HTTPS required)

These restrictions prevent SSRF attacks where a malicious job URL could cause the proxy to access internal infrastructure.

Data retention

  • Network logs: retained for 30 days after session completion, then deleted
  • Console logs: retained for 30 days
  • Screenshots: retained for 90 days
  • Response bodies (opt-in): retained for 7 days, AES-256 encrypted at rest
  • Feedback reports: retained indefinitely (part of your job record)

You can manually delete any session data from your job dashboard at any time.

Authentication & access control

  • All API routes require a valid Supabase JWT (Bearer token)
  • Job creators can only view their own jobs and sessions
  • Testers can only view jobs they have claimed
  • Admin routes are restricted to service-role credentials
  • Test/debug routes (/api/test/*) require a secret header (x-e2e-secret) and are disabled in production by default

Transport security

  • All traffic is HTTPS-only (HSTS with 2-year max-age)
  • CSP header restricts script/connect sources to known domains (Stripe, PostHog, Supabase)
  • X-Frame-Options: SAMEORIGIN prevents clickjacking
  • X-Content-Type-Options: nosniff prevents MIME-type sniffing

Tester vetting

Testers complete a qualification test before joining the marketplace. Each tester has a quality score updated after every submission. Testers with a score below threshold are automatically suspended. Job creators can block specific testers from claiming their jobs.

What the sandbox cannot do

  • The tester cannot make purchases or enter payment details on your behalf — credit card fields are masked in screenshots
  • The sandbox does not execute code outside the browser context
  • Testers cannot export your session data — it is only viewable within the platform
  • AI analysis of session content is opt-in and governed by separate data processing terms

Responsible disclosure

To report a security vulnerability, email security@betawindow.com. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.