Trust & Safety

Security

Security is a first-class concern at ReferentialSheet. This page documents the technical controls in place to protect your account and data.

Security Practices

Password Hashing

Passwords are hashed with bcrypt (cost factor 12) before storage. Plain-text passwords are never written to disk or logs.

Encrypted Transit

All traffic between your browser and our servers is encrypted with TLS 1.2+. We enforce HTTPS and set HSTS headers.

HTTP-Only Session Cookies

Authentication cookies are HTTP-only and Secure-flagged, preventing JavaScript access and reducing XSS exposure.

Private Workspaces

All user-created categories and snippets are scoped to the authenticated owner. API routes verify session ownership on every write operation.

Rate Limiting

API endpoints are rate-limited per user to prevent abuse. Authentication attempts are throttled to slow brute-force attacks.

Input Validation

All user input is validated server-side before being processed or stored. Content-type headers are verified on file uploads.

Infrastructure

Hosting

The application runs on Vercel's edge network. Static assets are served from Vercel's global CDN. Serverless functions run in isolated execution environments.

Database

User data is stored in a Neon PostgreSQL database. Connections use TLS. Database credentials are stored as environment variables and never exposed to the client.

File Storage

Uploaded images are stored in Cloudflare R2. Access to upload endpoints requires an authenticated session. File types and sizes are validated server-side before acceptance.

Secrets Management

All secrets (database credentials, API keys, auth secrets) are stored as encrypted environment variables in Vercel. They are never committed to source control or logged.

Responsible Disclosure

If you discover a security vulnerability in ReferentialSheet, please report it responsibly. We ask that you:

  • Do not publicly disclose the issue until we have had a chance to address it.
  • Do not access, modify, or delete data that is not yours.
  • Provide enough detail to reproduce and understand the vulnerability.

Report vulnerabilities by email to security@referential-sheet.com. We aim to acknowledge reports within 48 hours and resolve critical issues within 14 days.