Security

Chinilla · AI-Powered System Design

Version 1.3 · March 20, 2026

Security Posture Summary

Chinilla is an AI-powered system design tool. This page describes the security controls protecting your data, designs, and interactions with the platform.

✓Strict CSP - Content Security Policy with frame-ancestors 'none', restricted sources

✓Per-IP rate limiting - sliding window on all API endpoints

✓27+ injection patterns - prompt injection defense with anti-evasion normalization

✓Sandboxed execution - blocked keywords, expression limits, restricted proxy

✓HSTS enforced - Strict-Transport-Security with 2-year max-age, includeSubDomains, preload

✓TLS everywhere - all traffic encrypted in transit

✓No analytics or telemetry - no tracking pixels, no fingerprinting

✓Metadata-only logging - no PII, no message content in logs

✓Authenticated integrations - all integration endpoints require sign-in

✓0 dependency CVEs - npm audit clean (March 20, 2026). h3 transitive dep overridden to 1.15.9 (path traversal + SSE injection fixes)

✓Cloud-first storage - designs stored securely in your account with row-level security

✓Input validation - length limits, type checks, format validation on all endpoints

1. Overview 8. Third-Party Infrastructure 2. Architecture 9. Audit Logging 3. Data Handling 10. What We Don't Do 4. Authentication 11. Data Retention 5. Input Validation 12. Incident Response 6. Network Security 13. Vulnerability Disclosure 7. LLM Security 14. Third-Party Privacy 8. Third-Party Infrastructure 15. Contact

1. Overview

Chinilla is an AI-powered system design tool that helps users create, describe, simulate, and generate code for software architectures. Users interact with a visual canvas and an AI chat assistant powered by xAI's Grok models.

This page describes the security controls across all layers of the application:

Web application - Astro SSR with React, deployed on Render
API layer - Server-side endpoints with rate limiting, input validation, and audit logging
AI integration - xAI Grok API with prompt injection defense and content filtering
Data layer - Cloud storage via Supabase with row-level security for all signed-in users
Authentication - OAuth 2.0 via Supabase Auth (Google, GitHub providers)
Payments - Stripe for subscription billing (Pro plan)

2. Architecture

The system follows a server-side proxy pattern where all external API calls (xAI, integrations) are made from server-side endpoints. API keys never reach the client.

Client (React) → Astro SSR API Routes → xAI Grok API

↑ ↓

localStorage Supabase (auth + DB)

↓

Stripe (payments)

Server-side keys: All API keys (xAI, Stripe, Supabase service role, Resend) live in environment variables on the server. They are never sent to the browser.
Middleware: An Astro middleware layer applies security headers and cache policies to every response before it reaches the client.
Rate limiting: Every API endpoint checks per-IP rate limits before processing. Exceeded limits return 429 with a Retry-After header.

3. Data Handling

What we process

Canvas data: Components, connections, groups, and metadata for your system designs. Stored in our cloud database when you have an account.
Chat messages: Text you send to the AI assistant. Sent to xAI's API for processing, not stored on our servers beyond the active session.
Account data: OAuth profile (name, email, avatar), subscription status, and daily AI usage counts.

What we never process

Source code from your repositories (unless you explicitly paste it)
Credentials, API keys, or secrets from your systems
Browser history, cookies, or fingerprint data

Cloud storage

Designs are stored in your Supabase-backed cloud account with row-level security. All project data is scoped to the authenticated user. When using AI features, canvas context is sent to xAI for processing.

4. Authentication

Chinilla uses OAuth 2.0 authentication via Supabase Auth. All AI features, integrations, and project management require sign-in.

No passwords stored: Authentication is handled entirely through Google or GitHub OAuth providers. We never see, transmit, or store your password.
Session management: Supabase Auth sets secure, httpOnly authentication cookies to maintain your session. Sessions are validated server-side on every request via middleware.
Row-level security: All database queries are scoped to the authenticated user via Supabase RLS policies. Users cannot access other users' projects, subscriptions, or usage data.
Service role isolation: Server-side operations that bypass RLS (e.g., AI usage tracking, webhook processing) use a separate service role client that is never exposed to the browser.
Integration auth: All integration endpoints (GitHub, Slack, Notion, Jira) verify the user is authenticated before processing any request.
No account required: The landing page and documentation are publicly accessible without sign-in.

5. Input Validation

All user input is validated at the API boundary before reaching any processing logic.

Message length: Chat messages are capped at 16,000 characters.
Field length: Individual fields (component names, descriptions) are capped at 2,000 characters.
History cap: Conversation history is limited to the 50 most recent messages to prevent payload inflation.
Content size: Integration payloads (e.g., GitHub gist content) are capped at 500 KB.
Canvas state size: Project canvas data is limited to 5 MB per save to prevent abuse.
Type checking: All fields are type-validated (string, number, array) before use.
Email format: Integration email fields are validated with format checks and a 254-character limit.

Rate limiting

Per-IP sliding window rate limits are enforced on all endpoints:

AI endpoints: 30 requests per minute
Integration endpoints: 20 requests per minute
Project CRUD endpoints: 20 requests per minute
Stripe checkout/portal: 10 requests per minute
Contact form: 5 requests per minute

Exceeded limits return HTTP 429 with a Retry-After header.

6. Network Security

Security headers are applied to every response via Astro middleware:

Content-Security-Policy: default-src 'self' with restricted script, style, font, and image sources. frame-ancestors 'none' prevents embedding. object-src 'none' blocks plugins.
X-Frame-Options: DENY - prevents clickjacking.
X-Content-Type-Options: nosniff - prevents MIME type sniffing.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload - enforces HTTPS for 2 years.
Referrer-Policy: strict-origin-when-cross-origin - limits referrer leakage.
Permissions-Policy: Camera, microphone, geolocation, and payment APIs are disabled.
Cache-Control: API routes return no-cache, no-store, must-revalidate to prevent sensitive data caching.

TLS: All traffic is encrypted in transit. Render enforces HTTPS with automatic TLS certificate management. HSTS headers ensure browsers always use HTTPS.

Error handling: API error responses return generic messages. Internal error details from database or service failures are never exposed to clients.

7. LLM Security

AI features use xAI's Grok API. All requests pass through server-side safety checks before reaching the LLM.

Prompt injection defense

All user input is checked against 27+ injection patterns before being sent to the model. Patterns cover:

Instruction override attempts ("ignore previous instructions", "new instructions:")
Role manipulation ("you are now", "act as", "pretend to be", "role play as")
Jailbreak patterns ("DAN mode", "jailbreak", "do anything now", "developer mode", "sudo mode")
System prompt extraction ("reveal your prompt", "show me your instructions", "translate your prompt")
Structural injection ([system], [instructions], BEGIN NEW INSTRUCTIONS)

Anti-evasion normalization

Before pattern matching, input is normalized to defeat common evasion techniques:

Unicode homoglyphs: Cyrillic, Greek, and fullwidth Latin characters are mapped to ASCII equivalents.
Leetspeak: Common substitutions (0=o, 4=a, 3=e, etc.) are decoded.
Invisible characters: Zero-width spaces, joiners, and combining marks are stripped.
Spacing evasion: Spaced-out text ("i g n o r e") is collapsed before checking.

Harmful content blocking

Requests matching harmful content patterns (weapons, surveillance, trafficking, malware) are rejected outright with a 400 response. The LLM never sees these requests.

System prompt hardening

Every LLM request includes a safety suffix that constrains the model to system design topics only. The model is instructed to refuse off-topic requests and never reveal its system prompt.

8. Third-Party Infrastructure

Chinilla relies on the following third-party services:

Render - Hosting and deployment. Automatic TLS, isolated containers, volume-level encryption.
xAI (Grok) - AI chat, description, code generation, and simulation features. Requests processed under xAI's privacy policy.
Supabase - Authentication (OAuth 2.0) and PostgreSQL database with row-level security for projects, subscriptions, and usage tracking.
Stripe - Payment processing for Pro subscriptions. We store only subscription metadata (customer ID, status, billing dates). Credit card details are handled entirely by Stripe under Stripe's privacy policy.
Resend - Transactional email delivery (contact form confirmations).
GitHub and Google - OAuth providers for user sign-in. We receive only basic profile information (name, email, avatar).

We do not use any analytics services, ad networks, or data brokers.

9. Audit Logging

All API activity is logged for security monitoring and abuse detection.

Metadata only: Logs record event type, timestamp, HTTP method, route, and client IP. We never log message content, tokens, API keys, emails, or any PII.
Rate limit events: When a rate limit is exceeded, the event is logged with the limit and count for abuse detection.
Structured format: All audit entries are structured JSON for machine parsing and alerting.

10. What We Don't Do

We do not train AI models on your designs, messages, or canvas data.
We do not use Google Analytics, Facebook Pixel, or any third-party tracking.
We do not fingerprint your browser.
We do not sell data to advertisers, data brokers, or any third party.
We do not log message content, designs, or any PII in our audit logs.
We do not make external API calls without your explicit action (clicking send, saving, exporting).
We do not store your OAuth provider password.

11. Data Retention

Chat messages: Held in memory during the active session only. Not persisted to disk.
Cloud projects: Stored in Supabase as long as your account exists. Deleted when you remove the project or delete your account.
Account data: Retained while your account is active. Deleting your account removes all associated data (projects, subscriptions, usage records).
AI usage records: Daily call counts retained for billing cycle tracking. No request content is stored.
Audit logs: Retained for 90 days for security monitoring, then purged.
Rate limit buckets: In-memory only. Stale entries are cleaned up every 10 minutes.

12. Incident Response

In the event of a security incident:

Containment: Affected endpoints are disabled or rate-limited immediately.
Key rotation: Compromised credentials are rotated within 1 hour.
Notification: Affected users are notified within 24 hours.
Post-mortem: Root cause analysis and preventive measures are documented.

13. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email squeak@chinilla.com with the subject "Security Report"
Include steps to reproduce, impact assessment, and any proof-of-concept
We will acknowledge receipt within 48 hours
Please do not disclose publicly until we have had a chance to investigate and remediate

14. Third-Party Privacy

For transparency, here are direct links to the privacy policies of our third-party service providers:

15. Contact

Questions about security? Email squeak@chinilla.com or use our contact form.