Security
How Clipform protects your data, forms, and responses.
Clipform is built with multiple layers of security to protect your forms, responses, and account data.
Data isolation
Every workspace is isolated at the database level using Row Level Security (RLS). This means:
- Your forms, responses, and media are only accessible to members of your workspace
- Database queries are filtered by workspace membership before results are returned
- All privileged database functions verify the caller's identity and workspace membership before executing
- Anonymous respondents can only submit responses to published forms - they cannot read other responses or access unpublished forms
Clipform uses Supabase (PostgreSQL) with enforced RLS on every table. There is no way to bypass workspace isolation through the API or direct database access.
Authentication
Clipform supports three authentication methods:
| Method | Used by | How it works |
|---|---|---|
| Session auth | Dashboard users | Supabase Auth with JWT validation on every request |
| API keys | Integrations, MCP server | SHA-256 hashed keys with cf_ prefix, validated per request |
| OAuth 2.0 + PKCE | Third-party apps, MCP clients | Authorization code flow with proof key, scoped access tokens |
API keys and OAuth tokens are scoped to a single workspace. A compromised key cannot access other workspaces.
API security
The Clipform API enforces the following protections on every request:
- Security headers -
X-Content-Type-Options,Strict-Transport-Security,X-Frame-Options,Referrer-Policy, andX-XSS-Protectionare set on all responses - Body size limits - Request bodies are capped at 10 MB to prevent abuse
- CORS - Authenticated endpoints only accept requests from Clipform apps. Public respondent endpoints (sessions, responses, uploads) allow cross-origin requests so forms can be embedded anywhere
- Rate limiting - Respondent endpoints are limited to 60 requests per minute per IP address
- File validation - Uploaded files are validated by magic bytes (not just file extension) to prevent content-type spoofing. Only image, video, and audio formats are accepted
Webhook verification
Outbound webhooks include Standard Webhooks headers for signature verification. Always verify signatures in production to confirm payloads are from Clipform. See Signature Verification for implementation details.
Inbound webhook endpoints (used by payment providers and internal services) use timing-safe secret comparison to prevent timing attacks.
Embed security
When you embed a Clipform on your website, the form loads in a sandboxed iframe. The embed SDK:
- Validates the
originandsourceof allpostMessageevents before processing them - Only sends messages to the specific viewer URL, never to
* - Does not use
eval(),innerHTML, or dynamic script injection - Requests only the permissions needed for recording (camera, microphone)
File uploads
All file uploads go through server-side validation:
- Extension whitelist - only known image, video, and audio extensions are accepted
- Magic byte detection - the file's actual content type is verified against the declared type
- Path sanitization - file names are stripped of traversal characters (e.g.
../) before storage - Signed URLs - upload URLs are short-lived and scoped to a specific storage path
Encryption
- In transit - all traffic uses TLS (HTTPS)
- At rest - all data is encrypted at rest by Supabase (AES-256)
- Integration credentials - third-party credentials (e.g. Zapier, HubSpot tokens) are encrypted with AES-256-GCM at the application layer before storage
Responsible disclosure
If you discover a security vulnerability, please email [email protected]. We will acknowledge your report within 48 hours and work with you to resolve the issue before any public disclosure.