Security isn't a feature we add later—it's built into every layer of our architecture. We follow defense-in-depth principles, assuming that any single layer might be compromised.
Authentication Methods
We support multiple authentication methods to balance security with user convenience:
- Email/Password: With strong password requirements, breach detection, and account lockout policies.
- Magic Links: Passwordless login via email OTP for reduced credential exposure.
- OAuth: Google and GitHub integration through Supabase, leveraging their security infrastructure.
- Enterprise SSO: SAML 2.0, OAuth 2.0, and OpenID Connect for organization-managed identities.
- WebAuthn: Hardware security keys and biometric authentication using the FIDO2 standard.
- MFA: TOTP, SMS, email, and WebAuthn as second factors with backup codes for recovery.
CSRF Protection
Cross-site request forgery is prevented through multiple mechanisms:
- Token generation using
crypto.getRandomValues() - Tokens included in
X-CSRF-Tokenheaders - Session-based storage with 1-hour expiry
X-Requested-Withheader validation- SameSite cookie attributes
Security Headers
Every response includes comprehensive security headers:
X-Frame-Options: DENY— Prevents clickjackingX-Content-Type-Options: nosniff— Stops MIME sniffingStrict-Transport-Security— Forces HTTPS with preloadContent-Security-Policy— Restricts resource originsReferrer-Policy: strict-origin-when-cross-originPermissions-Policy— Denies geolocation, camera, microphone
Rate Limiting
We implement tiered rate limiting to prevent abuse while allowing legitimate traffic:
- Login attempts: 5 attempts per 15 minutes before lockout
- API endpoints: Per-key limits based on subscription tier
- Tracking endpoints: Higher limits to accommodate traffic spikes
- IP reputation: Automatic blocking of known malicious actors
API Key Management
External API access is controlled through scoped API keys:
- Keys are encrypted at rest in the database
- Per-key rate limiting and usage tracking
- Scoped permissions (full access vs site-specific)
- Instant revocation capability
- Automatic expiration options
Audit Logging
We maintain comprehensive audit trails for security and compliance:
- All authentication events (login, logout, failed attempts)
- Settings changes with before/after values
- API key creation and revocation
- Team membership changes
- Billing events and subscription changes
GDPR Compliance
Privacy is a core product feature, not an afterthought:
- Data export functionality for user requests
- Right to deletion with complete data purge
- Configurable data retention periods
- No cross-site tracking or third-party cookies
- IP anonymization options
- Cookie consent management