Security

Last updated: May 19, 2026

This page describes AdCamel's security posture for its public-facing surfaces and its integration with the TikTok Business API. For coordinated vulnerability disclosure, use the policy below or see /.well-known/security.txt.

Public surface posture (adcamel.io)

• TLS terminated by Caddy with certificates issued by Let's Encrypt on a rolling 60-day renewal window.
• HSTS preload submitted at hstspreload.org.
• Content-Security-Policy restricting script and frame ancestors; X-Frame-Options: DENY; X-Content-Type-Options: nosniff; Referrer-Policy: strict-origin-when-cross-origin; Permissions-Policy denying camera, microphone, geolocation, payment, and FLoC.
• DNS signed with DNSSEC at Cloudflare; DS record paste verified at the registrar.
• CAA records restrict certificate issuance to Let's Encrypt.
• DMARC published with p=reject, SPF aligned with Cloudflare Email Routing, DKIM signed.
• No login on the public domain. The operator workspace runs on a separate hostname behind an auth wall.

Integration posture (TikTok Business API)

• OAuth tokens for authorized advertiser accounts are stored encrypted at rest with AES-256-GCM inside the operator workspace.
• Tokens are never displayed in logs, public pages, or audit records.
• Every external call to TikTok emits an audit event with endpoint, response status, response request_id, and TikTok-side identifiers; tokens and creative bytes are excluded from the audit body.
• Campaign pushes default to operation_status=DISABLE at every layer; going live requires an explicit operator action inside TikTok Ads Manager.
• Per-campaign budget caps are enforced on the AdCamel side; the credit card on file remains under TikTok Ads Manager's control.
• Rate-limit code 40100 is treated as a clean refusal with backoff; no blind retry loops.

Coordinated disclosure policy

If you find a vulnerability in AdCamel's public surface or in the TikTok integration described on this site, please follow this policy.

• Report to security@adcamel.io.
• Include enough detail for the operator to reproduce: URL, request, response, browser or tool used.
• Allow at least 90 days for a fix before public disclosure, or a shorter window if the operator confirms a fix is in production.
• Do not exfiltrate data beyond what is necessary to demonstrate the issue, do not test on user data you do not own, and do not attempt denial-of-service.
• AdCamel does not offer a paid bug bounty at this time. Acknowledgments are listed below at the reporter's request.

Acknowledgments

None at this time. Reporters who want public acknowledgment can request inclusion by name or handle in the email above.

Contact

Security contact: security@adcamel.io.
General contact: contact@adcamel.io.