OpenGraph+
Get Started
Updated February 25, 2026

Security

How OpenGraph+ protects your data

OpenGraph+ is an external service that generates screenshot images of your web pages for social media previews. It can only access publicly available URLs. Private networks, internal endpoints, and localhost are blocked at the network level. It does not run inside your infrastructure, access your internal networks, or store sensitive credentials.

Minimal data footprint

We store as little as possible:

  • No passwords. Authentication is passwordless via magic-link email, Google OAuth, or Apple Sign-in.
  • No payment credentials. All billing is handled by Stripe (PCI DSS Level 1).
  • No page content. We render a screenshot and discard the HTML. We do not store cookies, DOM state, or scripts from crawled pages.
  • What we store: your email, the URLs you submit, screenshot images (PNG), Open Graph meta tags, and HTTP cache headers.

Authentication

  • Passwordless login. Magic-link emails expire in 10 minutes and are single-use. Links are bound to the browser session that requested them, preventing forwarding attacks.
  • OAuth. Google and Apple Sign-in via OAuth 2.0. We do not receive or store OAuth provider passwords.
  • Session management. Encrypted session cookies with 30-day expiry. Sessions are rotated on every login to prevent session fixation.
  • Admin access. Restricted to an allowlist of internal accounts with a separate 5-minute session timeout.

API security

  • Signature-based authentication. API requests are authenticated using HMAC signatures derived from your secret key. The secret key itself is never transmitted in API requests.
  • Key management. API keys can be created and revoked through the dashboard at any time.

Tenant isolation

All data access is scoped to the authenticated user. Database queries are always filtered through the current user’s ownership chain (user > websites > pages > screenshots). There is no shared namespace where one customer’s data could leak to another.

SSRF protection

Since we accept URLs and render them in a headless browser, Server-Side Request Forgery is a primary threat. All submitted URLs are validated against a blocklist of private and reserved network ranges before rendering:

  • IPv4: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 0.0.0.0/8
  • IPv6: ::1/128, fc00::/7, fe80::/10
  • Domain validation via the PublicSuffix database (rejects non-public TLDs)

This prevents the service from being used to probe internal networks, cloud metadata endpoints, or localhost services.

Encryption

  • In transit. All connections to OpenGraph+ are over TLS.
  • At rest. Screenshots are stored in S3-compatible object storage with server-side encryption.
  • Secrets management. All service credentials (OAuth keys, storage tokens, payment keys) are stored in Rails encrypted credentials (AES-256-GCM), not in environment variables or source code.

Infrastructure

  • Hosting. The application runs on managed infrastructure in the United States.
  • Storage. Screenshot images are stored in Tigris (S3-compatible) with bucket-level access controls.
  • Error monitoring. Rollbar captures application errors with PII filtering. User-identifiable data is scrubbed from error reports.
  • Analytics. Plausible (cookieless, privacy-focused, no PII collection).
  • Background processing. Screenshot rendering runs in isolated jobs with concurrency controls and automatic retry with backoff.

What we don’t access

OpenGraph+ operates entirely outside your infrastructure:

  • We do not have access to your internal networks, databases, or servers
  • We do not install agents, scripts, or SDKs in your environment
  • We do not receive, store, or process credentials for your systems
  • We only interact with publicly accessible URLs that you explicitly submit
  • The only integration point is an API key you generate and can revoke at any time

Data retention and deletion

  • Screenshot images are cached according to the TTL you configure (default up to 30 days)
  • Deleting a website from your account removes all associated pages, screenshots, and analytics
  • Deleting your account permanently removes all data, including API keys and visit logs
  • There is no soft-delete. Deletion is immediate and irreversible.

Vulnerability reporting

If you discover a security vulnerability in OpenGraph+, please report it to security@opengraphplus.com. We will acknowledge receipt and investigate promptly. We do not operate a bug bounty program.

Incident response

If we discover a security incident that affects your data, we will notify affected customers via the email address on file within 72 hours of confirmation.

Subprocessors

We maintain a list of third-party services that process data on our behalf. See Subprocessors for the current list.

Compliance

We do not currently hold SOC 2 or ISO 27001 certifications. Our security practices reflect the principles behind those frameworks (least privilege, minimal data collection, encryption in transit and at rest, tenant isolation) but we have not undergone a formal audit. As we grow, independent certification is on our roadmap.

If your organization requires a security questionnaire, vendor assessment, or further detail about our practices, contact us at trust@opengraphplus.com.