Security
Last updated: July 15, 2026
Mercur is designed for developers who expose local services to the internet. Security depends on both Mercur controls and your endpoint configuration.
This page describes current security posture and practical responsibilities. It is not a certification, audit report, or guarantee.
Current Controls
- Authenticated dashboard sessions for protected pages and APIs.
- Per-customer agent authentication tokens and per-server tokens.
- Token rotation for agent authentication.
- Customer ownership checks before proxy server access.
- Optional public/private exposure settings and IP/CIDR whitelist rules.
- Runtime state, heartbeat TTLs, and concurrent session limits.
- Seven-day TTL and per-server count limits for HTTP request logs.
- Password hashing for credentials.
Customer Responsibilities
- Expose only services you are authorized to expose.
- Treat Mercur URLs and tokens as sensitive credentials.
- Use private mode and IP whitelist rules when endpoints should not be public.
- Disable or delete endpoints that are no longer needed.
- Avoid sending secrets or unnecessary personal data through logged requests.
- Rotate tokens immediately if they may have been disclosed.
- Secure local services as if they were internet-facing when proxied through Mercur.
Request Logs and Sensitive Data
When HTTP logging is enabled, Mercur may persist request headers and body previews. These logs are useful for webhook testing, but they can contain secrets such as authorization headers, cookies, API keys, signatures, and payload personal data.
Use proxy-only mode when you do not need inspection, and prefer test credentials or sanitized payloads for debugging.
Incident Response
If we discover a security incident affecting your account or customer data, we will investigate, mitigate, and notify affected users where required by law or where notice is appropriate.
Vulnerability Reports
Please report suspected vulnerabilities to [privacy@your-domain.com]. Include affected endpoints, reproduction steps, impact, and any logs that help us verify the issue. Do not access, modify, delete, or exfiltrate data that does not belong to you.
No Formal Certification Yet
Mercur does not currently claim SOC 2, ISO 27001, PCI DSS, HIPAA, or Data Privacy Framework certification. If certifications are obtained later, this page should be updated with accurate details.