Security

Security at Web3 Serv

We build security in by default. This page summarizes the controls that protect the platform and your data, with their current status. Active = in place; Report-only = observing before enforcing; Active when configured = on once its keys are set; Planned = on the roadmap.

Transport & headers

HTTP Strict Transport Security (HSTS, preload)Active
Content-Security-PolicyReport-only
X-Content-Type-Options: nosniffActive
Clickjacking protection (X-Frame-Options / frame-ancestors)Active
Referrer-PolicyActive
Permissions-PolicyActive

Authentication & access

httpOnly, same-site session cookiesActive
Role-based access control (default-deny)Active
Jurisdiction geo-gating (US / OFAC)Active
Two-factor authentication for adminsPlanned

Data protection

Default-deny Firestore & Storage rulesActive
Owner-scoped uploads + short-lived signed URLsActive
EU data residency (Firestore eur3)Active
Encryption in transit (TLS)Active

Monitoring & response

Audit logs for sensitive actionsActive
Signed, fail-closed webhooksActive
Managed, encrypted backupsActive
Rate limiting on sensitive endpointsActive when configured
Error monitoringActive when configured
Public status pagePlanned
Independent penetration testPlanned

Report a vulnerability

Found a security issue? We welcome good-faith reports and offer safe harbor under our Vulnerability Disclosure Policy.

Disclosure policy security.txt Email [email protected]

This overview reflects the current implementation and is updated as controls evolve. It is not a certification or a guarantee against all risk.