Skip to main content
All internet-facing TestDino services and their security configuration.

Quick Reference

SectionDescription
Core ServicesDashboard, API, reporter, WebSocket
Authentication & BillingAuth endpoints, payment webhooks
IntegrationsGitHub webhooks, third-party connectors
Internal ServicesAI analytics, health checks, artifact storage
Network SecurityCORS, TLS, rate limiting, security headers
Firewall ConfigDomains to allowlist

Core Services

EndpointDescription
app.testdino.comWeb application: dashboard, test results, analytics, settings
api.testdino.comPrimary API: authentication, test data, project management, client-server communication
api.testdino.com/api/reports/playwrightReporter endpoint: receives test results via API key authentication
api.testdino.com/streamWebSocket: real-time test result updates

Authentication & Billing

EndpointDescription
api.testdino.com/api/authLogin, registration, OAuth callbacks, password reset, email verification
api.testdino.com/api/v1/webhooks/razorpayPayment webhook: receives events from Razorpay (signature-verified)

Integration Services

EndpointDescription
api.testdino.com/api/integrations/v1/github/webhookGitHub webhook: push events and PR updates (verified via X-Hub-Signature-256)
Integration service (internal)Manages Jira, Linear, Asana, Slack, Monday.com connections. Not internet-facing. Accessed via the primary API.

Internal Services

ServiceDescription
AI service (internal)Test analysis: run insights, failure classification, project analytics. FastAPI/Python. Not internet-facing.
api.testdino.com/healthHealth check for monitoring and load balancer probes
Azure Blob StorageArtifact storage: screenshots, videos, traces. Access via time-limited SAS tokens (48-hour expiry).

Network & Security

CORS

The API enforces strict CORS policies:
  • Only explicitly configured origins are allowed (no wildcard *)
  • Origins are defined per environment via CORS_ORIGIN configuration

TLS

  • All endpoints enforce HTTPS (TLS 1.2+)
  • HTTP requests redirect to HTTPS
  • Certificates are managed via hosting infrastructure

Rate Limiting

EndpointLimit
Login10 requests / 15 minutes
Registration5 requests / 15 minutes
Email verification3 requests / 60 minutes
Password reset2 requests / 60 minutes
Global API1,000 requests / 15 minutes

Security Headers

All responses include headers via Helmet:
  • Content-Security-Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security (HSTS)

Firewall Configuration

If your organization uses network-level allowlisting, add these domains:
DomainRequired For
app.testdino.comDashboard access
api.testdino.comAPI, reporter submission, webhooks, WebSocket streaming
Azure Blob Storage domainArtifact uploads and downloads
Review what data is collected and how long it is retained.

Access to Customer Data

Full list of data TestDino collects

Data Retention

Retention periods by tier and data category