Security
The allowlist, SSRF protection, and why transform URLs need no API key.
A transform endpoint is, by definition, a "fetch any URL" engine — so it must be guarded. Keenpix treats that as core, not a fast-follow.
The allowlist (access control)
Each project has a list of allowed source hosts. A request is served only if the source URL's host is on that project's list. The list is checked before the cache, and an empty list blocks everything (fail-closed). This is why a transform URL needs no API key: it is safe to publish, because it can only ever hit hosts you've approved.
(Keenpix does have optional internal API keys for trusted backend systems that manage projects over the JSON API — those are separate from the public transform endpoint. See Projects & access and the SDK API reference.)
SSRF protection
Even for an allowed host, Keenpix refuses to become a proxy into your private network:
- Private/internal IPs are blocked — loopback, RFC-1918, link-local, CGNAT, IPv6 unique-local / link-local / multicast, and IPv4-mapped IPv6 forms.
- The resolved IP is pinned into the connection, closing the DNS-rebinding window between the check and the connect.
- Every redirect hop is re-validated, so a
302to an internal host is refused.
Denial-of-service guards
- Origin responses are size-capped (streamed with a byte ceiling →
413). - Concurrent transforms are bounded; excess load sheds with
503rather than OOM. - sharp runs with a
limitInputPixelsceiling andfailOn: 'truncated'.
Sign-in
The dashboard is bootstrapped with a super admin account. Set
KEENPIX_SUPER_ADMIN_EMAIL and KEENPIX_SUPER_ADMIN_PASSWORD before running
the seed or Docker container. The super admin can create copyable invitation
links for other staff from Settings → Staff. Email delivery is optional and
uses SMTP configured from Settings → Email first. SMTP environment variables
are only used as a fallback when Settings SMTP is disabled or incomplete.