Security

How we protect your data and how to report issues.

Practices

We implement HTTP security headers via helmet, strict CORS allowlists, API rate limiting, JWT based access tokens with refresh rotation, secure cookies, bcrypt password hashing, Zod schema validation on every request, and Supabase storage with strict file type and size validation. Logs are captured via morgan in production for incident response.

Reporting a vulnerability

Email security@proallyworld.com. Please do not file public GitHub issues for security vulnerabilities.

Responsible disclosure

We will acknowledge reports within 72 hours and aim to provide a remediation plan within 7 days for confirmed issues. Reporters will be credited unless anonymity is requested.