Skip to main content

Security & Best Practices

At CheckEmail.dev, security is our top priority. This guide outlines how we protect your data and best practices for integrating our API securely.

Authentication

All API requests must be authenticated using an API Key via the x-api-key header.

  • Keep keys secret: Never expose your API keys in client-side code (browsers, mobile apps). Always route requests through your own backend server.
  • Use scoped keys: Create separate keys for different environments (Staging vs. Production) or purposes (Validation vs. Stats).
  • Rotate keys: If you suspect a key has been compromised, revoke it immediately in the dashboard and generate a new one.

Rate Limiting

We enforce rate limits only on the Free Plan to ensure fair usage.

  • Free Plan: 1 request / 5 seconds
  • Pay As You Go: Unlimited
  • Pro Plan: Unlimited
  • Enterprise Plan: Unlimited

If you exceed the Free Plan limit, the API will respond with 429 Too Many Requests. We recommend implementing exponential backoff strategies in your integration code to handle these responses gracefully.

Data Privacy & Redaction

We understand that email addresses are Personally Identifiable Information (PII).

  • Default Behavior: We log the email address and validation result to provide you with analytics and debugging history.
  • Privacy Mode: You can enable "Zero Retention" in your account settings. When enabled, we process the validation in-memory and immediately scrub the email address from our database. Your logs will show EMAIL_ADDRESS_NOT_LOGGED.

Secure Headers & Response

  • Request ID: Every API response includes an X-Request-ID header and a requestId field in the JSON body. Please log this ID on your side to help us debug any issues you encounter.
  • HTTPS: All connections must be made over HTTPS. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

Error Handling

Our API uses standard HTTP status codes to indicate success or failure.

  • 200 OK: Request successful.
  • 400 Bad Request: Invalid input (e.g., malformed email).
  • 401 Unauthorized: Missing or invalid API key.
  • 402 Payment Required: Insufficient credits.
  • 403 Forbidden: Permission denied or account suspended.
  • 429 Too Many Requests: Rate limit exceeded.
  • 500 Internal Server Error: Something went wrong on our end.

Security Note: In production, our error messages are generic to prevent information leakage. Detailed errors are logged internally for our engineering team.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to us responsibly.

Contact: [email protected]
Policy: We appreciate your help in keeping our platform secure. Please do not disclose vulnerabilities publicly until we have had a chance to remediate them.

See our security.txt for more details.

Last updated on