SnapStatic
Home Generator Free Proof Docs Guides Pricing
Login / Sign Up

Security & Best Practices

How SnapStatic handles your credentials, data, and generated content.

Is HTTPS required?

Yes. SnapStatic requires HTTPS for both your Ghost source domain and your generated site domain. HTTP is not supported. This prevents mixed-content issues and ensures secure communication.

Is my Ghost API key secure?
  • Always use a Content API Key (read-only) — never your Admin API key.
  • Pro: Your API key is sent to our generation server over HTTPS, used only during the build, then discarded.
  • Free: Your API key is processed entirely in your browser and never leaves your device.
  • Regenerate your Content API key after generation for maximum security.
How is my webhook config stored?

Your webhook configuration (Ghost URL, API key, base URL, and generation options) is stored server-side in your profile. It is never exposed to other users or accessible from the browser. The webhook token is a unique identifier — treat it like a password and do not share it publicly.

How are Git tokens handled?
  • Create a dedicated token with minimal permissions (GitHub: repo scope only).
  • Your token is used once during deployment and then discarded.
  • Tokens are never stored in your browser (localStorage, sessionStorage, or cookies).
  • Regenerate tokens after each deployment for best security.
What data does SnapStatic store?
  • Account: Email and profile settings
  • Pro archives: Generated ZIP files and build logs, automatically deleted after 30 days
  • Webhook config: Ghost connection details and generation options (deleted when you remove the config)
  • Free generator: Nothing is stored — content is processed in your browser and discarded