Security

Your fitness and health data is sensitive. This page describes the security measures we have implemented to protect your account — so you can make an informed decision about trusting us with your data.

Password Security

Passwords are hashed with Argon2id before being stored. Argon2id is the winner of the Password Hashing Competition and the current industry recommendation — it is deliberately slow and memory-hard to resist brute-force and GPU-based attacks. Your plaintext password is never stored or logged anywhere.

Session Security

Sessions use cryptographically secure tokens validated against the database on every request. Sessions can be invalidated server-side immediately — signing out takes effect instantly.

Session cookies are set with the strongest available browser security attributes: HttpOnly (not accessible to JavaScript), Secure (HTTPS only), and SameSite=Strict (never sent on cross-site requests). In production, the cookie also uses the __Host- prefix, which prevents subdomain injection attacks.

Password Reset

Password reset tokens are cryptographically random, stored only as a one-way hash in the database, and short-lived. Tokens are single-use. Reset responses are identical whether an account exists or not.

Transport Security

• All traffic is served over HTTPS — HTTP is not accepted.
• HTTP Strict Transport Security (HSTS) is enforced with a long max-age and the preload flag — browsers refuse plain-HTTP connections even on first visit once preloaded.
• TLS certificates are managed and rotated automatically by the hosting infrastructure.

Security Headers

Every response in production includes a strict set of security headers:

• Content-Security-Policy — Strict allowlist blocking injection of external scripts, styles, and resources.
• X-Frame-Options: DENY — Prevents the application from being embedded in iframes on any domain, blocking clickjacking attacks.
• X-Content-Type-Options: nosniff — Prevents browsers from MIME-sniffing responses away from the declared Content-Type.
• Referrer-Policy — Limits referrer information sent to external sites.
• Permissions-Policy — Camera, microphone, geolocation, and payment APIs are explicitly disabled.

CSRF Protection

All mutating requests are protected by multiple independent layers of CSRF defense at both the server and browser level.

Rate Limiting

Rate limiting is enforced on all endpoints. Authentication-related endpoints — sign-in, sign-up, password reset, and email verification — have significantly tighter per-IP limits to defend against credential stuffing and abuse.

Data Access Isolation

All API endpoints require authentication. Every query is scoped to the authenticated user — there is no way to access another user's data. Each user can only read and write their own records.