Security Overview

Sessions are designed around secure, cookie-based authentication rather than browser-stored bearer tokens. Sensitive token handling stays on the server boundary wherever possible, including protected page bootstrapping and proxy-style API communication.

Verification and recovery flows are intentionally staged to reduce misuse and protect user identity, including signed email actions and one-time verification codes.

Protected routes are gated at the middleware and server-rendering layers so sensitive pages are not left to client-side role checks alone. Only minimal account data is passed into interactive client components when needed.

The frontend avoids exposing secrets through browser-safe environment variables and does not read HttpOnly auth cookies from JavaScript.

Security logging, token rotation, audit events, and backend enforcement remain critical controls that complement the frontend. Browser hardening is helpful, but it does not replace backend authorization, input validation, and session security.

If you believe you found a vulnerability or risky behavior, contact support with clear reproduction steps so the team can investigate responsibly.