Authentication

Powered by Firebase Authentication with email & password. Tokens are verified server-side on every API call. Session management follows industry best practices.

Data Isolation

Multi-tenant Firestore rules enforce strict per-user data isolation. Each account can only read and write its own documents — no cross-tenant access is possible regardless of client-side code. A catch-all deny rule blocks all unspecified paths.

Encryption

Sensitive local data is encrypted with AES-256-GCM via the Web Crypto API. Encryption keys are derived using PBKDF2 with SHA-256 and a per-device salt. All cloud communication uses TLS 1.3 with HSTS enforcement.

API Protection

Every API endpoint is wrapped in security middleware with per-user rate limiting, CORS origin whitelisting, and request ID correlation for end-to-end tracing. Authenticated users receive higher rate limits while anonymous requests are throttled.

Security Headers

• Strict-Transport-Security — forces HTTPS
• Content-Security-Policy — prevents code injection
• X-Frame-Options: DENY — blocks clickjacking
• X-Content-Type-Options — prevents MIME sniffing
• Referrer-Policy — limits referrer leakage
• Permissions-Policy — disables camera, mic, geolocation

Input Validation & Sanitization

All user inputs are sanitized server-side to prevent XSS and injection attacks. Dedicated validators verify email, phone, SSN, and ZIP formats. Field injection is blocked at the Firestore rules layer with explicit allowlists.

Server Hardening

Path traversal attacks are blocked. Dotfiles, hidden directories, and sensitive paths return 403. Payloads are size-limited to prevent abuse. Static files are served with no-cache headers.

Data Handling

Client data is stored locally in your browser and syncs to your private cloud namespace when signed in. No data is shared between accounts. Exported files (CMSMTF, XML, PDF) are generated client-side and never pass through our servers. You can delete all cloud data at any time from Settings.