Built-in Protections
tinykit includes several security measures out of the box:File Size Limits
5MB max file size prevents resource exhaustion
Path Traversal Protection
Prevents
../ attacks to escape workspaceBlocked Extensions
Can’t upload executable file types
Input Validation
All inputs are sanitized before processing
Sandboxed Preview
Preview runs in isolated iframe
Production Checklist
Before exposing your tinykit instance to the public:1
Protect the Builder
The
/tinykit path gives full access to your codebase. Add authentication before going public.2
Use Environment Variables
Never hardcode API keys or secrets. Use
.env for configuration.3
Enable HTTPS
Railway and most platforms provide HTTPS automatically. Never run without it.
4
Set Up Monitoring
Watch for unusual traffic patterns or error spikes.
Adding Authentication
To protect the/tinykit route, you have several options:
- PocketBase Auth (Built-in)
- Reverse Proxy
- IP Whitelist
tinykit uses PocketBase for authentication. Create users in the PocketBase admin (
/_pb/_) and they can log in to access the builder.- Email/password authentication
- JWT tokens with automatic refresh
- Per-user accounts
Reporting Vulnerabilities
Found a security issue? Please report it responsibly:Report a Vulnerability
Open a private security advisory on GitHub