Security & architecture

Last updated: 25 May 2026

The short version: SpeedAudit has a small attack surface because it does very little. No user accounts, no tokens, no uploads. The only personal data we store is an IP address attached to Lighthouse audit history rows. This page describes what we have and what we depend on.

How a request flows

When you use a tool, the path is roughly:

  1. Your browser sends the query (a URL, domain, or IP) to one of our API endpoints, hosted as a Cloudflare Worker
  2. The Worker checks an edge cache; if there's a recent hit, it returns immediately and no upstream call is made
  3. On a cache miss, the Worker forwards the query to the relevant upstream service (Google, WhoisXML, Cert Spotter, a DoH resolver, a DNSBL, etc.)
  4. The result is cached at the edge for between 30 seconds and 24 hours depending on the tool, then returned to your browser

For the Lighthouse audit tool only, the result is also written to our Cloudflare D1 database with the requesting IP attached, so the History page can show it back to you.

What we store

Our Cloudflare D1 database holds exactly one kind of record: Lighthouse audit history. Each row contains:

  • A row ID, the URL audited, and the device type (mobile/desktop)
  • The Lighthouse scores (performance, SEO, accessibility, best practices)
  • Lab metrics (LCP, FCP, CLS, TBT, etc.) and CrUX field data from real Chrome users
  • The list of opportunities and diagnostics Lighthouse identified
  • The IP address that requested the audit
  • A timestamp

That's it. No emails, no names, no passwords, no payment data, no third-party identifiers. If you dumped our entire database to CSV, every row would describe a URL and its public Lighthouse scores, plus the IP that requested the run.

Edge cache entries for the other tools (DNS, WHOIS, SSL, etc.) live in Cloudflare KV with a short TTL and contain no identifying information beyond the query itself.

Authentication and sessions

There are none. SpeedAudit doesn't have user accounts. There's no login flow, no session cookie, no JWT, no OAuth, no API tokens. This eliminates an entire category of risk: there's nothing to steal, hijack, replay, or escalate.

The only request-scoped data we read is the originating IP address (from Cloudflare's CF-Connecting-IP header) for rate limiting and audit history attribution.

Rate limiting

We use Cloudflare KV to track per-IP request counts on a one-hour rolling window. Limits vary by tool depending on the cost of the underlying API call:

  • Free DoH-backed tools (DNS lookup, SPF, DMARC) get 100–120 calls per hour per IP
  • Paid-API tools (WHOIS, IP geolocation) and credit-bound tools (SSL via Cert Spotter) get 30–60 per hour
  • The Lighthouse audit tool inherits Google PageSpeed Insights' own quota

If a single IP appears to be running automated scans, we may temporarily block it.

Third parties we depend on

SpeedAudit forwards queries to a number of external services. Each one sees the query data (a URL, domain, or IP) but not your identity:

  • Cloudflare — runs the Worker, the database, and KV storage; serves all assets. Privacy practices
  • Google PageSpeed Insights — Lighthouse audits. Privacy practices
  • WhoisXML API — WHOIS and IP geolocation. Privacy practices
  • SSLMate Cert Spotter — Certificate Transparency lookups. Privacy practices
  • Public DoH resolvers — Cloudflare, Google, Quad9, AdGuard, NextDNS, OpenDNS for DNS lookups and propagation comparisons
  • Public DNSBLs — SpamCop, SORBS, CBL, Mailspike, PSBL, s5h.net for the blacklist check
  • Per-TLD RDAP servers — used as occasional fallback to WhoisXML
  • OpenStreetMap — map tiles loaded by your browser when the IP geolocation tool renders. Privacy practices
  • Tailwind & Leaflet CDNs — frontend libraries loaded from cdn.tailwindcss.com and unpkg.com

That's the complete list. No analytics vendors, no tracking pixels, no chat widgets, no advertising networks.

Infrastructure

SpeedAudit runs entirely on Cloudflare Workers, which means there is no traditional server for an attacker to log into. There's no SSH endpoint, no admin panel, no database server with an exposed port. Code runs only inside Cloudflare's isolated V8 sandboxes, and the database (D1) is reachable only through that code.

Our deploy pipeline is git push followed by wrangler deploy. Production secrets (the Google PageSpeed Insights API key and the WhoisXML API key) are stored in Cloudflare's secret store and are never present in source code, in git history, or in build logs.

Vulnerability disclosure

If you find a security issue in SpeedAudit, please email security@novator.co rather than posting it publicly. We'll respond within 48 hours, and we won't take legal action against good-faith research. We're a small team without a bug-bounty budget yet, but we will credit researchers (with permission) on this page once we have a confirmed report.

What this page doesn't claim

Honest disclosure: SpeedAudit is a young free product. We have not undergone SOC 2, ISO 27001, HIPAA, or any other formal compliance audit. We don't claim to be enterprise-ready for regulated industries. We're confident that the architecture above creates very little risk — because there's very little to expose — but we are not making formal compliance claims.

If you need a tool with formal compliance certifications for diagnostic work in regulated industries, you should evaluate whether SpeedAudit fits, or contact us at security@novator.co to discuss.

Questions

If anything on this page is unclear, wrong, or you'd like more detail: security@novator.co.