Built for trust
Security isn't a checkbox; it's baked into how the platform is built, shipped, and operated.
Transport encryption
All traffic is served over TLS 1.3. Strict-Transport-Security, Referrer-Policy, X-Content-Type-Options, Permissions-Policy, and Content-Security-Policy headers are set on every response.
Credential hygiene
Passwords are hashed with bcrypt (10 rounds). Sessions are short-lived JWTs via NextAuth. OAuth tokens (Google Search Console) are stored encrypted at rest in Postgres.
Hosting + data
Hosted on Railway with managed Postgres. Environment variables never land in the repo or build artifacts. All third-party integrations (Stripe, Resend, SerpAPI, Anthropic) are outbound-only.
Least privilege
Admin actions are gated behind role-checked middleware. Audit tools never fetch beyond the domain you supply. The crawler respects robots.txt and runs with a clearly-identified user agent.
Found a vulnerability? We take security reports seriously. Email [email protected] with details and we'll respond within 48 hours.