Current Security Measures

What's protecting your code right now

Client-Side Execution

All code runs locally in WebContainer, directly in your browser. Your files never touch our servers.

Active

AES-256 Encryption

API keys are encrypted with industry-standard AES-256 before storage. Only you can decrypt them.

Active

Zero Knowledge

We can't see your code or API keys. Everything is encrypted end-to-end and stored locally.

Active

HTTPS Only

All connections are encrypted with TLS. Your data is protected in transit at all times.

Active

Minimal Data Storage

We only store what's necessary: your email and encrypted API key. No code, no projects.

Active

Sandboxed Environment

WebContainer provides complete isolation. Your code can't access anything outside its sandbox.

Active

Security Audit Completed

May 2026

Forge Lab Brain underwent a comprehensive security audit in May 2026 prior to open beta launch. All identified findings were fully remediated. The audit covered the following areas:

  • Authentication & session management
  • Input validation & output encoding
  • Access control & authorization
  • API security & rate limiting
  • Secret & credential management
  • HTTP security headers & transport security
  • File upload & data handling

What's Next

We're continuously improving our security posture. The following is on our roadmap.

Security Roadmap

  • Third-party penetration test by an independent security firm
  • SOC 2 Type II compliance certification
  • Bug bounty program for responsible disclosure
  • Detailed threat model and architecture security documentation
Report a Vulnerability