Last updated: February 2026
Security & Compliance
SitemapHost is built entirely on Cloudflare's global edge network with enterprise-grade security at every layer. Here's exactly how we protect your data.
SOC 2 Type II
via Cloudflare
ISO 27001
via Cloudflare
PCI DSS L1
via Cloudflare
GDPR
Compliant
| Encryption in Transit | TLS 1.2+ enforced on all endpoints. HTTP auto-upgraded to HTTPS. |
| Encryption at Rest | AES-256 on all storage layers (R2, D1, KV). |
| Authentication | OAuth 2.0 + SHA-256 hashed session tokens and API keys. |
| Isolation | V8 isolate sandboxing. Zero shared memory between tenants. |
| Durability | 11 nines (99.999999999%). 30-day point-in-time recovery. |
| Availability | 99.99% SLA. 300+ edge locations. Stale-while-revalidate failover. |
| DDoS Protection | Enterprise-grade Cloudflare DDoS mitigation at all tiers. |
Infrastructure & Platform
SitemapHost runs entirely on Cloudflare's global edge network, spanning 300+ data centers across 100+ countries.
- Serverless execution: Application logic runs on Cloudflare Workers using V8 isolates — the same sandboxed runtime that powers Google Chrome. Each request runs in its own isolate with no shared memory between tenants.
- No traditional servers: No VMs, containers, or physical servers to patch or maintain. The attack surface is reduced to application code and Cloudflare's managed infrastructure.
- DDoS mitigation: Enterprise-grade protection at all tiers. Volumetric, protocol, and application-layer attacks are mitigated at the edge.
- Anycast routing: Traffic is automatically routed to the nearest healthy data center for performance and resilience.
Data Encryption
In Transit
- All traffic served over HTTPS with TLS 1.2+, enforced at the infrastructure level
- HTTP requests are automatically upgraded to HTTPS
- Custom domains receive automatic SSL certificates via Cloudflare's Custom Hostnames API
At Rest
| Storage Layer | Encryption | Details |
|---|---|---|
| Cloudflare R2 | AES-256 | Sitemap XML files. Multi-AZ redundancy. |
| Cloudflare D1 | Encrypted at rest | Database. Automatic storage-layer encryption. |
| Cloudflare KV | Encrypted at rest | Cache layer. Global replication with encryption. |
Secrets Management
All secrets (API tokens, OAuth credentials, cryptographic keys) are stored as Cloudflare Worker secrets — encrypted environment variables never exposed in source code, logs, or API responses.
Authentication & Access Control
Dashboard Authentication
- Google OAuth 2.0 — SitemapHost never handles or stores user passwords
- Session tokens are SHA-256 hashed before database storage. Plaintext tokens are never stored.
- Cookies:
HttpOnly,Secure,SameSite=Lax, 30-day expiry with automatic cleanup
API Key Authentication
- Keys use
sk_live_prefix + 32 cryptographically random characters - Keys are SHA-256 hashed before storage — shown to the user exactly once at creation
- Support for expiration dates and instant revocation
- Last-used timestamps tracked for security auditing
Input Validation & Sanitization
- All API inputs validated using Zod (TypeScript-first schema validation)
- Request body size limits enforced at middleware level (1 MB default, 50 MB for sitemap generation)
- XML special characters escaped to prevent injection attacks
- URL validation via native
URL()constructor - Domain names sanitized with regex to prevent path traversal
- R2 storage keys follow strict format:
{userId}/{domain}/{filename}.xml
Rate Limiting & Abuse Prevention
- API rate limiting: Cloudflare WAF enforces 10 requests per 10 seconds per IP on all API endpoints
- Contact form protection: Multi-layered defense — rate limiting, honeypot fields, timing checks, schema validation
- Sitemap serving: Edge caching absorbs traffic spikes. Cloudflare DDoS mitigation handles volumetric attacks.
- IP hashing: IP addresses are SHA-256 hashed before use in rate limit keys — raw IPs are not persisted
Security Headers
| Header | Value | Purpose |
|---|---|---|
| Content-Security-Policy | Strict default-src 'self' | Prevents XSS and data injection |
| X-Frame-Options | DENY | Prevents clickjacking |
| X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | Controls referrer info |
| X-Request-ID | Unique UUID per request | Request tracing for auditing |
Monitoring & Audit Logging
Security Event System
Dedicated security event logging with severity classification (Critical, High, Medium, Low). Every event records: event type, severity, source IP, user ID, request ID, user agent, path, metadata, and timestamp.
Audit Trail
All user actions are logged persistently: domain operations, sitemap generation, API key management, and authentication events. Each entry includes user ID, action type, resource details, IP address, and metadata.
Data Isolation & Multi-Tenancy
- Storage isolation: Each user's files stored in isolated R2 paths (
{userId}/{domain}/{filename}.xml). Cross-tenant access is not possible. - Database isolation: All queries include user ID filtering. Foreign key constraints with CASCADE delete ensure data consistency.
- Request isolation: V8 isolates provide hardware-level memory isolation between requests. No request can access another's memory space.
Availability & Reliability
- 99.99% uptime SLA backed by Cloudflare's global infrastructure
- Zero cold starts: V8 isolates spin up in under 5 milliseconds
- Stale-while-revalidate: Cached content continues serving during origin issues (24-hour window)
- Graceful degradation: robots.txt returns safe fallback on error. Emergency mode available for incident response.
- Anycast failover: Traffic automatically routed to nearest healthy data center
Compliance & Privacy
Data Privacy
- No tracking cookies — analytics via Plausible (privacy-friendly, no cookies, no individual tracking)
- IP addresses SHA-256 hashed before storage. Raw IPs not persisted.
- Sessions auto-expire after 30 days
GDPR
- Full data deletion on request (CASCADE delete removes all user data)
- Audit trail tracks data access and modifications
- No third-party data sharing beyond essential providers (Google OAuth, Cloudflare)
Infrastructure Certifications
All data stored on Cloudflare's infrastructure, which maintains:
- SOC 2 Type II
- ISO 27001
- PCI DSS Level 1
Specific data residency requirements can be discussed for enterprise agreements.
Have Security Questions?
We're happy to answer security questionnaires, provide additional documentation, or walk through our architecture in detail.