Session-gated workspace APIs
Dashboards, project files, revisions, previews, and export actions require authenticated requests.
Security and data handling for Foundry projects.
Foundry protects account access, generated project files, previews, and exports with practical controls for a source-export website builder.
Protective controls
- Authenticated dashboards and project APIs require a session.
- Project file storage is constrained to prevent path escape.
- Daily AI spend caps limit abuse and surprise generation cost.
- Public security headers include nosniff, referrer policy, permissions policy, and HSTS at the edge.
- Generated previews and exports use scoped response headers and storage boundaries.
CSP, HSTS, and browser guardrails
Public responses use security headers for content type, referrer policy, permissions policy, and strict transport handling.
Constrained project storage
Generated files are served through scoped paths and preview-specific response headers to reduce file escape and embedding risk.
Spend-aware generation
Plan routing, daily caps, and usage summaries keep model use measurable while limiting abuse.
Data handling
Project prompts and generated files are stored so users can revise, preview, and export their work. Do not enter secrets, regulated personal data, or production credentials into prompts or generated public site copy.
Export ownership
Static exports are plain source files you own and can host without Foundry in the request path.
Report issues
Send vulnerability reports and account-security concerns to security@foundry-kit.com.
Beta security posture
Foundry is a beta product that uses OpenRouter as an AI provider for generation. We do not claim SOC 2 certification. Treat prompts, uploads, previews, and exports as non-sensitive website material while account security and export controls continue to be hardened.