Security Guidelines
SLAAAD handles high-value spatial assets. Protecting your terrain from fraud and ensuring data integrity is our top priority.
API Key Safety
Never expose your Secret Key (sk_...) in frontend code, GitHub repositories, or client-side logs. Secret keys have full administrative access to your projects.
If you suspect a key has been compromised, delete it immediately from the SLAAAD Console and generate a new one.
Image Upload Best Practices
Since SLAAAD is headless, you are responsible for the security of user-uploaded images. We recommend the following measures for your onImageUpload backend:
01. Magic Number Check
Don't rely on file extensions. Use a library (like file-type) to verify the actual binary signature of the image.
02. Storage Isolation
Store user uploads in a dedicated bucket (e.g., S3) with restricted permissions. Never serve them from your application's root directory.
03. Image Processing
Use a processing tool (like sharp) to resize and strip metadata (EXIF) from images before storing them publicly.
04. Rate Limiting
Implement rate limiting on your upload endpoint to prevent automated spam and denial-of-service attacks.
Fraud & Bot Prevention
Programmatic Cooldowns
SLAAAD prevents rapid-fire acquisitions on the same plot.
Stripe Authorization (HOLD)
Funds are verified and held, reducing risk of "phantom" bids.
Building a secure integration? Contact our security team at security@slaaad.com