Security

Account security

Passwords are stored as bcrypt hashes. Bearer-token sessions are hashed at rest, can be revoked via the sign-out flow, and expire on inactivity. OAuth (Google, Apple) is supported as an alternative to password sign-in.

Transport & storage

The application is served over HTTPS with HSTS. Media is stored in a private Google Cloud Storage bucket and accessed only through short-lived signed URLs. Database backups are taken daily.

Reporting issues

To report a vulnerability, please use the contact page. We welcome responsible disclosure and will work with you to confirm and resolve issues quickly.