Skip to main content

Security Settings

BugPin's security settings control how the application handles incoming requests, user sessions, and domain access. All settings are configured in the Admin Console under Settings → Security, with no server restarts required. This page covers HTTPS enforcement, rate limiting, session duration, invitation expiration, and domain whitelisting.

HTTPS Enforcement

When enabled, HTTPS enforcement provides two protections:

  1. HTTP to HTTPS Redirect: Requests arriving via HTTP are automatically redirected to HTTPS
  2. HSTS Header: The Strict-Transport-Security header is added to responses, instructing browsers to always use HTTPS

Requirements

HTTPS enforcement requires a properly configured TLS-terminating reverse proxy that:

  • Terminates TLS/SSL connections
  • Sets the x-forwarded-proto header to indicate the original protocol

Without a properly configured proxy, enabling this setting will not provide HTTPS protection.

Configuration

  1. Navigate to Settings > Security
  2. Toggle Enforce HTTPS to enabled
  3. Click Save Changes
warning

Before enabling HTTPS enforcement, ensure your reverse proxy is correctly configured. See the Hardening Guide for detailed proxy configuration instructions.

Rate Limiting

Rate limiting helps prevent abuse by limiting the number of requests from a single IP address.

Configuration

  • Requests per Minute per IP: The maximum number of API requests allowed per minute from a single IP address (range: 1-1000, default: 10)

This limit applies globally to all projects and affects the widget submission endpoint.

How It Works

  • Rate limits are tracked per IP address (using x-forwarded-for header behind proxies)
  • When a limit is exceeded, the API returns a 429 Too Many Requests response
  • The Retry-After header indicates when the client can retry
  • Rate limit headers are included in all responses:
    • X-RateLimit-Limit: Maximum requests allowed
    • X-RateLimit-Remaining: Requests remaining in the current window
    • X-RateLimit-Reset: Seconds until the rate limit resets

Session Duration

Controls how long user sessions remain valid before requiring re-authentication.

Configuration

  • Session Duration (Days): Number of days before a session expires (range: 1-365, default: 7)

Shorter durations are more secure but require more frequent logins. Consider your security requirements and user convenience when setting this value.

Invitation Expiration

Controls how long invitation links remain valid for new users.

Configuration

  • Invitation Expiration (Days): Number of days before an invitation link expires (range: 1-30, default: 7)

Shorter durations are more secure. Expired invitations can be resent by an administrator.

Domain Whitelisting

Each project can be configured to only accept bug reports from specific domains.

Configuration

  1. Navigate to Projects
  2. Select the project and click Settings
  3. Under Security, add allowed domains

When configured, only requests from the specified domains (and their subdomains) will be accepted.

tip

Leave the domain whitelist empty to accept reports from any domain. This is useful during development but should be restricted in production.

We use cookies for analytics to improve our website. More information in our Privacy Policy.