Security

Strong Passwords

We enforce strict password requirements:

• Minimum 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one number

Additional protections:

• Common password detection (blocks top 1000+ passwords)
• Keyboard pattern detection (blocks qwerty, asdf, etc.)
• Sequential character detection (blocks 123456, abcdef)
• Breached password check via HaveIBeenPwned API

Two-Factor Authentication (2FA)

Add an extra layer of security with TOTP-based 2FA:

• Go to Dashboard → Settings → Security
• Click Enable 2FA
• Scan the QR code with your authenticator app
• Enter the 6-digit code to confirm

Supported Apps:

• Google Authenticator
• Authy
• 1Password
• Bitwarden

Recovery Codes

When you enable 2FA, you receive 10 recovery codes:

• Each code can only be used once
• Store them in a safe place (download as .txt available)
• Use them if you lose access to your authenticator
• Regenerate codes anytime from Settings

Login Protection

Multiple layers protect your login:

• Account lockout after 5 failed attempts (30 minutes)
• Login notification emails with device & location info
• Session expiry (7 days, or 30 days with Remember Me)
• Cloudflare Turnstile bot protection on all auth forms

Encryption

• Passwords · Hashed with bcrypt (cost factor 12)
• Sessions · 64-character cryptographically secure tokens
• OAuth Tokens · Encrypted with AES-256-GCM
• 2FA Secrets · Encrypted at rest with AES-256-GCM

Secure Cookies

• HTTP-Only · Prevents JavaScript access (XSS protection)
• Secure Flag · Only sent over HTTPS
• SameSite=Lax · CSRF protection

IP Anonymization (GDPR)

We anonymize IP addresses for privacy compliance:

• IPv4: Last octet zeroed (e.g., 192.168.1.x)
• IPv6: Last 80 bits zeroed
• Full IPs never stored in analytics
• Hashed IPs used only for session security

Cloudflare Turnstile

Invisible bot protection without annoying CAPTCHAs:

• Protects sign-up, sign-in, and password reset
• Privacy-preserving verification
• No user interaction required

Rate Limiting

We limit requests to prevent abuse:

DDoS Protection

Infrastructure-level protection:

• Cloudflare WAF & Bot Fight Mode
• Global CDN with edge caching
• Automatic traffic filtering

Data Export

Download all your data anytime:

• Go to Dashboard → Settings → Privacy & Data
• Click Export My Data
• Receive a JSON file with all your information

Account Deletion

Permanently delete your account:

• Go to Dashboard → Settings → Danger Zone
• Click Delete Account
• Confirm with your password
• All data permanently deleted

Cookie Consent

Granular control over cookies:

• Essential cookies only by default
• Optional analytics cookies (Vercel Analytics)
• Preferences saved and respected

Do's

• Use a unique, strong password
• Enable two-factor authentication
• Keep recovery codes in a safe place
• Review login notification emails
• Sign out on shared devices

Don'ts

• Share your password with anyone
• Use the same password on multiple sites
• Click suspicious links in emails
• Ignore login notifications
• Store passwords in plain text

GDPR / DSGVO

• Data minimization
• Right to access (data export)
• Right to deletion (account deletion)
• IP anonymization
• Consent-based processing
• Privacy policy & cookie policy