Cloudflare SSL/TLS provides end-to-end encryption for all traffic, including custom domains

Cloudflare DDoS protection automatically detects and mitigates volumetric and application-layer attacks

Web Application Firewall (WAF) filters malicious traffic before it reaches our servers

Bot Management identifies and blocks automated threats at the edge

DNSSEC is enabled to prevent DNS spoofing and cache poisoning attacks

Always Use HTTPS ensures all requests are upgraded to secure connections

All data transmitted between your browser and Exposure is encrypted via TLS/HTTPS

SSL is enforced at both the Cloudflare edge and infrastructure layer across all endpoints

Static assets are served through Amazon CloudFront over HTTPS

Cloudflare DDoS mitigation provides always-on protection at the network edge

Rate limiting is enforced across critical endpoints including authentication, contact forms, and data exports

An IP blocklist system enables rapid response to identified threats

Request timeout protection prevents resource exhaustion attacks

User passwords are hashed using bcrypt, a one-way adaptive hashing algorithm. Plaintext passwords are never stored or logged.

Password requirements follow NIST SP 800-63B guidelines: minimum 8 characters, maximum 128 characters.

Password reset tokens are cryptographically random and expire within 24 hours. Tokens are automatically invalidated when your email address changes.

Authentication uses server-side sessions stored in a secure database (not in browser cookies), with a 2-week expiration policy

Login endpoints are protected by rate limiting: a maximum of 5 attempts per 90 seconds per account

Google reCAPTCHA Enterprise is required during account registration to prevent automated abuse

Sessions are stored server-side, minimizing data exposed in cookies

Session cookies are marked Secure for HTTPS-only transmission and use the SameSite attribute

Sessions are fully invalidated on sign-out

All user input is validated server-side, including format checks, length limits, and uniqueness constraints

Email addresses are validated using a dedicated library and checked against a blocklist of disposable email providers

File uploads are restricted to allowed image types (PNG, GIF, JPEG) with enforced size limits

SQL injection is prevented through the exclusive use of parameterized database queries. No raw SQL with string interpolation is used anywhere in the application.

Cross-Site Scripting (XSS) is mitigated through automatic HTML output escaping in all templates

Honeypot fields to catch automated bots

Submission timing analysis

Content-based spam filtering

reCAPTCHA Enterprise score-based verification

Rate limiting on both burst and sustained submission patterns

Expired sessions are purged daily via scheduled background jobs

Stale push notification subscriptions are cleaned up on a daily schedule

The codebase follows Rails security best practices, including parameterized queries, CSRF protection, automatic output escaping, and encrypted credentials

Brakeman (static security analysis) is used to identify potential vulnerabilities

Bundler Audit scans dependencies for known security vulnerabilities

Strong Migrations prevents unsafe database changes that could cause data loss

Sensitive parameters (passwords, tokens, keys) are automatically filtered from all application logs

Uploaded photos are stored in Amazon S3 with access managed through AWS IAM policies

All content is served over HTTPS through a CDN

Unpublished, password-protected, and deleted content is excluded from all public queries and endpoints

Story-level and site-level password protection allow you to restrict access to your content. These passwords are encrypted at rest.

Application performance monitoring provides real-time alerting in production

Background job processing is monitored for failures and queue health

All requests are tagged with unique IDs for traceability

Production logging operates at a level that minimizes inadvertent exposure of personal information