Security

Infrastructure

• Hosted on Vercel with HTTPS enforced
• Cloudflare DNS, WAF, and DDoS protection
• Google Firebase for authentication, Firestore database, and file storage
• Firestore security rules and server-side ownership checks on all API routes

Authentication

• Secure authentication via Firebase Auth
• HTTP-only session cookies verified with Firebase Admin on the server
• Role-based access control (user and admin roles)
• Admin accounts encouraged to use multi-factor authentication

Application Security

• Input validation on all API routes
• Rate limiting on sensitive endpoints
• Cloudflare Turnstile bot protection on auth and forms
• Parameterized queries for optional PostgreSQL catalog search
• Content Security Policy headers

Data Isolation

Private collection data is scoped to your account. Other users cannot access your collection, photos, receipts, or values.

Reporting Vulnerabilities

If you discover a security issue, please report it responsibly to hello@longboxiq.com. We appreciate coordinated disclosure.