Security

​

Overview

​

Isolation Model

​

Container Isolation

• Separate Linux container
• Isolated filesystem
• Isolated network namespace
• Resource limits enforced by kernel

​

Network Access

const response = await fetch('https://api.example.com');

• Accept inbound connections (except via preview URL)
• Access other sessions
• Scan internal networks

​

What Code Can Do

• Execute JavaScript/TypeScript
• Install npm packages
• Make HTTP/HTTPS requests
• Write files to /workspace
• Use databases (SQLite, etc.)
• Run web servers on port 8080

• Access other sessions
• Mine cryptocurrency (CPU throttled)
• Port scanning
• DOS attacks (rate limited)
• Access host system

​

Authentication

Authorization: Bearer your_api_key_here

​

Best Practices

// ❌ Don't do this
const client = new Buntime({ apiKey: 'btk_123...' });

// ✅ Do this (server-side only)
const client = new Buntime({ 
  apiKey: process.env.BUNTIME_API_KEY 
});

const session = await client.sessions.create({
  metadata: { userId: user.id }
});

function validateCode(code: string) {
  const dangerous = [
    /require\(['"]child_process['"]\)/,
    /while\s*\(\s*true\s*\)/
  ];
  return !dangerous.some(p => p.test(code));
}

​

Data Security

​

At Rest

• Files encrypted in R2 storage
• Metadata encrypted in KV
• Automatic deletion on expiry

​

In Transit

• All API calls over HTTPS
• TLS 1.3 encryption
• No downgrade attacks

​

Abuse Prevention

• CPU throttling for sustained high usage
• Memory limits enforced
• Execution timeouts
• Rate limiting per API key
• Automatic session cleanup

​

Reporting Security Issues