We ran a full security audit on My Sleepy Tale. Here is what we found, what we fixed, and how we are keeping your children's bedtime stories safe.
We conducted a comprehensive security audit covering every API endpoint, the frontend application, data storage, email systems, and payment processing. We looked at the platform the way an attacker would.
| Severity | Found | Fixed | Status |
|---|---|---|---|
| Critical | 5 | 5 | All Fixed |
| High | 7 | 5 | 5 Fixed, 2 in progress |
| Medium | 9 | 4 | Ongoing |
| Low | 3 | 1 | Backlog |
Our Stripe webhook previously accepted unverified events as a fallback. An attacker could forge subscription upgrades for any account. Fixed: Every webhook event now requires a valid cryptographic signature. No signature = rejected.
Was: Critical Now: FixedInternal admin endpoints had no authentication. Anyone who discovered the URL could write data. Fixed: All admin endpoints now require verified admin credentials before processing any request.
Was: Critical Now: FixedProduction API keys were at risk of being exposed in version control. Fixed: All secret files are now excluded from version control. Keys are stored only in secure environment variables on our cloud infrastructure.
Was: Critical Now: FixedUser-supplied content in emails was not sanitized, creating injection risks. Fixed: A shared sanitization layer now escapes all HTML and validates all email addresses before sending. Prevents XSS, header injection, and BCC attacks.
Was: High Now: FixedChild names were being sent to third-party analytics. Fixed: All personally identifiable information about children has been removed from analytics tracking. We only track anonymized events.
Was: High Now: FixedWe built a throttling layer to ensure we never spam your inbox. Every email sent is logged and checked against these rules:
Every response from mysleepytale.com now includes these security headers:
| Header | Value | Protects Against |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Protocol downgrade attacks |
| X-Frame-Options | DENY | Clickjacking |
| X-Content-Type-Options | nosniff | MIME sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | Privacy leaks to third parties |
| X-XSS-Protection | 1; mode=block | Cross-site scripting |
We will never store your child's name in third-party analytics. We will never sell your email. We will always let you unsubscribe from marketing emails. We will fix critical vulnerabilities within 24 hours of discovery. We will be transparent about what we find and what we fix.
If you discover a security issue, please email us at hello@mysleepytale.com with the subject "Security Report". We take every report seriously and will respond within 48 hours.
We built My Sleepy Tale for our own children. We protect your data the way we protect theirs.
Explore Stories โ