diff --git a/.gitignore b/.gitignore
index 745528a..6d687ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,11 @@
 *.csv
 .idea/
 *.gexf
-backend/whitelist.txt
 data/
 .vscode/
 
+backend/.sobelow
+
 # Environments
 .env
 .env*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 936d0d4..3fbc15f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,8 +16,31 @@ test-frontend:
   only:
     changes:
       - frontend/*
+
+backend-sobelow:
+  stage: test
+  image: elixir:1.9
+  only:
+    changes:
+      - backend/*
+  before_script:
+    - cd backend
+  script:
+    - mix local.hex --force
+    - mix local.rebar --force
+    - mix deps.get
+    - mix deps.compile
+    - mix sobelow --config
+  cache:
+    paths:
+      - backend/deps/
+      - backend/_build/
+
 deploy-backend-develop:
   stage: deploy
+  environment:
+    name: develop
+    url: https://phoenix.api-develop.fediverse.space
   image: ilyasemenov/gitlab-ci-git-push
   only:
     refs:
@@ -26,9 +49,12 @@ deploy-backend-develop:
       - backend/*
   script:
     - git-push ssh://dokku@api-develop.fediverse.space:phoenix
+
 deploy-gephi-develop:
   stage: deploy
   image: ilyasemenov/gitlab-ci-git-push
+  environment:
+    name: develop
   only:
     refs:
       - develop
diff --git a/backend/.sobelow-conf b/backend/.sobelow-conf
new file mode 100644
index 0000000..1e4c487
--- /dev/null
+++ b/backend/.sobelow-conf
@@ -0,0 +1,12 @@
+[
+  verbose: false,
+  private: false,
+  skip: true,
+  router: "",
+  exit: "false",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.HTTPS"],
+  ignore_files: [""]
+]
diff --git a/backend/README.md b/backend/README.md
index 73a5fea..e365945 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -4,6 +4,7 @@
 
 - This project requires Elixir >= 1.9.
 - Run with `SKIP_CRAWL=true` to just run the server (useful for working on the API without also crawling)
+- This project is automatically scanned for potential vulnerabilities with [Sobelow](https://sobelow.io/).
 
 ## Deployment
 
diff --git a/backend/lib/backend/crawler/crawlers/mastodon.ex b/backend/lib/backend/crawler/crawlers/mastodon.ex
index 44c61dc..f3af190 100644
--- a/backend/lib/backend/crawler/crawlers/mastodon.ex
+++ b/backend/lib/backend/crawler/crawlers/mastodon.ex
@@ -15,6 +15,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
   end
 
   @impl ApiCrawler
+  # sobelow_skip ["DOS.StringToAtom"]
   def crawl(domain) do
     instance = Jason.decode!(get!("https://#{domain}/api/v1/instance").body)
 
@@ -33,6 +34,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
   end
 
   @spec crawl_large_instance(String.t(), any()) :: ApiCrawler.t()
+  # sobelow_skip ["DOS.StringToAtom"]
   defp crawl_large_instance(domain, instance) do
     # servers may not publish peers
     peers =
diff --git a/backend/mix.exs b/backend/mix.exs
index 68ae703..fc4deec 100644
--- a/backend/mix.exs
+++ b/backend/mix.exs
@@ -45,7 +45,8 @@ defmodule Backend.MixProject do
       {:timex, "~> 3.5"},
       {:honeydew, "~> 1.4.3"},
       {:quantum, "~> 2.3"},
-      {:corsica, "~> 1.1.2"}
+      {:corsica, "~> 1.1.2"},
+      {:sobelow, "~> 0.8", only: :dev}
     ]
   end
 
diff --git a/backend/mix.lock b/backend/mix.lock
index 54fb5cb..bc544f0 100644
--- a/backend/mix.lock
+++ b/backend/mix.lock
@@ -34,6 +34,7 @@
   "postgrex": {:hex, :postgrex, "0.14.3", "5754dee2fdf6e9e508cbf49ab138df964278700b764177e8f3871e658b345a1e", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:db_connection, "~> 2.0", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}], "hexpm"},
   "quantum": {:hex, :quantum, "2.3.4", "72a0e8855e2adc101459eac8454787cb74ab4169de6ca50f670e72142d4960e9", [:mix], [{:calendar, "~> 0.17", [hex: :calendar, repo: "hexpm", optional: true]}, {:crontab, "~> 1.1", [hex: :crontab, repo: "hexpm", optional: false]}, {:gen_stage, "~> 0.12", [hex: :gen_stage, repo: "hexpm", optional: false]}, {:swarm, "~> 3.3", [hex: :swarm, repo: "hexpm", optional: false]}, {:timex, "~> 3.1", [hex: :timex, repo: "hexpm", optional: true]}], "hexpm"},
   "ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"},
+  "sobelow": {:hex, :sobelow, "0.8.0", "a3ec73e546dfde19f14818e5000c418e3f305d9edb070e79dd391de0ae1cd1ea", [:mix], [], "hexpm"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.4", "f0eafff810d2041e93f915ef59899c923f4568f4585904d010387ed74988e77b", [:make, :mix, :rebar3], [], "hexpm"},
   "swarm": {:hex, :swarm, "3.4.0", "64f8b30055d74640d2186c66354b33b999438692a91be275bb89cdc7e401f448", [:mix], [{:gen_state_machine, "~> 2.0", [hex: :gen_state_machine, repo: "hexpm", optional: false]}, {:libring, "~> 1.0", [hex: :libring, repo: "hexpm", optional: false]}], "hexpm"},
   "telemetry": {:hex, :telemetry, "0.4.0", "8339bee3fa8b91cb84d14c2935f8ecf399ccd87301ad6da6b71c09553834b2ab", [:rebar3], [], "hexpm"},
diff --git a/frontend/package.json b/frontend/package.json
index cc0947d..463eaf0 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -67,6 +67,7 @@
     "husky": "^3.0.0",
     "lint-staged": "^9.2.0",
     "tslint": "^5.18.0",
+    "tslint-config-security": "^1.16.0",
     "tslint-eslint-rules": "^5.4.0",
     "typescript": "^3.5.3"
   },
diff --git a/frontend/tslint.json b/frontend/tslint.json
index 799fb02..5f2be2f 100644
--- a/frontend/tslint.json
+++ b/frontend/tslint.json
@@ -4,9 +4,8 @@
     "tslint-eslint-rules",
     "tslint-react",
     "@blueprintjs/tslint-config/blueprint-rules",
-    "tslint-config-prettier"
+    "tslint-config-prettier",
+    "tslint-config-security"
   ],
-  "exclude": [
-    "**/*.css"
-  ]
+  "exclude": ["**/*.css"]
 }
diff --git a/frontend/yarn.lock b/frontend/yarn.lock
index 327c6be..cdaf599 100644
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@@ -10449,6 +10449,13 @@ tslint-config-prettier@^1.17.0:
   resolved "https://registry.yarnpkg.com/tslint-config-prettier/-/tslint-config-prettier-1.18.0.tgz#75f140bde947d35d8f0d238e0ebf809d64592c37"
   integrity sha512-xPw9PgNPLG3iKRxmK7DWr+Ea/SzrvfHtjFt5LBl61gk2UBG/DB9kCXRjv+xyIU1rUtnayLeMUVJBcMX8Z17nDg==
 
+tslint-config-security@^1.16.0:
+  version "1.16.0"
+  resolved "https://registry.yarnpkg.com/tslint-config-security/-/tslint-config-security-1.16.0.tgz#a561fdf1fccc3986f78c2a12f1c1f5e0b50f6476"
+  integrity sha512-wwM+COg4FX1Gl6VnvaTV9zqcUY6cs4XkiP6T3qhc6s20Xy4J9irui6+fkP07yVkrwfcNFneji3YcIwiMvKSQPQ==
+  dependencies:
+    safe-regex "^1.1.0"
+
 tslint-eslint-rules@^5.4.0:
   version "5.4.0"
   resolved "https://registry.yarnpkg.com/tslint-eslint-rules/-/tslint-eslint-rules-5.4.0.tgz#e488cc9181bf193fe5cd7bfca213a7695f1737b5"