Account and service access
Account routes require Clerk authentication. Admin routes require a separate configured admin identity. Rendering-engine and cache operations require a server-side service token.
Prerender Buddy fetches public website pages and serves rendered HTML through controlled request paths. This page describes controls visible in the current implementation and the responsibilities that remain with each customer.
This is a technical security overview, not a certification or independent security audit.
Implementation reviewed: July 13, 2026.
Current controls
Account routes require Clerk authentication. Admin routes require a separate configured admin identity. Rendering-engine and cache operations require a server-side service token.
Prerender Buddy stores an API key prefix and cryptographic hash rather than the complete key. Keys can be revoked from the account, and rendering requests are limited to sites registered in the same workspace.
Rendering accepts HTTP and HTTPS URLs only, rejects embedded credentials, blocks local and private network destinations, validates DNS results, and applies request guards inside the browser context.
Fresh render concurrency, navigation time, upstream response size, rendered HTML size, cache entries, and cache memory are bounded to reduce runaway work and oversized responses.
Rendering boundary
Prerender Buddy is designed for public, cacheable website content rather than authenticated or personalized application routes.
Non-GET requests, static assets, APIs, account pages, login and signup, admin, dashboard, checkout, billing, settings, and profile routes bypass crawler rendering in maintained integrations.
Customers must keep any additional private, authenticated, personalized, preview, or sensitive routes outside the render path and avoid placing secrets in public URLs.
Known limitations
Report a security concern
Do not include passwords, complete API keys, or unrelated personal data in the report.