ui.skipToMain

Security Practices

Security isn't a feature we add later—it's built into every layer of our architecture. We follow defense-in-depth principles, assuming that any single layer might be compromised.

Authentication Methods

We support multiple authentication methods to balance security with user convenience:

  • Email/Password: With strong password requirements, breach detection, and account lockout policies.
  • Magic Links: Passwordless login via email OTP for reduced credential exposure.
  • OAuth: Google and GitHub integration through Supabase, leveraging their security infrastructure.
  • Enterprise SSO: SAML 2.0, OAuth 2.0, and OpenID Connect for organization-managed identities.
  • WebAuthn: Hardware security keys and biometric authentication using the FIDO2 standard.
  • MFA: TOTP, SMS, email, and WebAuthn as second factors with backup codes for recovery.

CSRF Protection

Cross-site request forgery is prevented through multiple mechanisms:

  • Token generation using crypto.getRandomValues()
  • Tokens included in X-CSRF-Token headers
  • Session-based storage with 1-hour expiry
  • X-Requested-With header validation
  • SameSite cookie attributes

Security Headers

Every response includes comprehensive security headers:

  • X-Frame-Options: DENY — Prevents clickjacking
  • X-Content-Type-Options: nosniff — Stops MIME sniffing
  • Strict-Transport-Security — Forces HTTPS with preload
  • Content-Security-Policy — Restricts resource origins
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy — Denies geolocation, camera, microphone

Rate Limiting

We implement tiered rate limiting to prevent abuse while allowing legitimate traffic:

  • Login attempts: 5 attempts per 15 minutes before lockout
  • API endpoints: Per-key limits based on subscription tier
  • Tracking endpoints: Higher limits to accommodate traffic spikes
  • IP reputation: Automatic blocking of known malicious actors

API Key Management

External API access is controlled through scoped API keys:

  • Keys are encrypted at rest in the database
  • Per-key rate limiting and usage tracking
  • Scoped permissions (full access vs site-specific)
  • Instant revocation capability
  • Automatic expiration options

Audit Logging

We maintain comprehensive audit trails for security and compliance:

  • All authentication events (login, logout, failed attempts)
  • Settings changes with before/after values
  • API key creation and revocation
  • Team membership changes
  • Billing events and subscription changes

privacy regulations Compliance

Privacy is a core product feature, not an afterthought:

  • Data export functionality for user requests
  • Right to deletion with complete data purge
  • Configurable data retention periods
  • No cross-site tracking or third-party cookies
  • IP anonymization options
  • Cookie consent management