ioxer
Log inStart free
● Security · posture

What Is in Place. What Is Next. How to Report.

Security at Ioxer is treated like math: the system is verifiable, not trusted. Every control below can be confirmed independently - sniff our HTTP headers, inspect the cookie flags, read our open methodology at /methodology.

In place today

HTTPS-only with HSTS preload

live

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload - eligible for the Chromium HSTS preload list.

Strict CSP (nonce + strict-dynamic)

live

A fresh per-request nonce with strict-dynamic; connect-src enumerates every external API the browser may reach; frame-ancestors none; object-src none; base-uri self; form-action self. Only the public homepage gets a narrowly-relaxed policy for its WebGL scene - every authenticated surface stays strict.

X-Frame-Options DENY

live

No third-party site can iframe Ioxer - defends against clickjacking on legacy browsers that do not honour CSP frame-ancestors.

X-Content-Type-Options nosniff

live

Browsers must trust our Content-Type headers - kills MIME-sniff XSS vectors.

Referrer-Policy strict-origin-when-cross-origin

live

Cross-site requests send only the origin (never the full URL); same-origin keeps the path. GDPR-friendly + cleaner third-party logs.

Permissions-Policy lockdown

live

camera, microphone, geolocation, payment, usb, interest-cohort all disabled - supply-chain XSS cannot reach those APIs even if it breaches CSP.

Engine internals are not on the public surface

live

The calibration constants are not exposed on the public API or the public database key: /api/iox returns scores, probabilities and the funding read only - never the calibration weights; direct database access with the public key is denied by row-level security. Checked by an internal automated probe — not an external security audit.

EU data residency (primary)

live

Primary user data — accounts and saved data — is stored in Supabase eu-west (Frankfurt). Compute via Vercel may transit US subprocessors under Standard Contractual Clauses (SCCs) — see /privacy for the full subprocessor list and GDPR posture.

Server-side cron auth

live

Every /api/cron/* route requires a Bearer secret matching CRON_SECRET. Mismatched calls return 401 with no body - no enumeration leak.

Admin gate: allowlist + session, fail-closed

live

Admin pages and /api/admin/* require a session whose email is in ADMIN_EMAILS; non-admins receive a 404 so the admin surface stays unmapped, and the gate fails closed on errors. 2FA (AAL2) is enforced for admins who have enrolled it — requiring AAL2 for every admin regardless of enrollment is on the roadmap.

Bot defence + per-IP rate limits

live

Scripted user-agents are blocked on anonymous public APIs and auth forms, backed by an in-memory ~60-req/min limit per IP on each edge instance (HTTP 429 above threshold; we pair it with platform-level controls for hard limits). Legitimate crons bypass via a constant-time Bearer check.

Cookie isolation

live

Auth cookies are HttpOnly + Secure + SameSite=Lax. The XSS that does steal a cookie cannot read it; CSRF is mitigated by SameSite.

CSRF tokens on mutating endpoints

live

Double-submit cookie pattern (dv-csrf cookie + X-CSRF-Token header), set in middleware and layered on the SameSite=Lax auth cookie, on account and auth mutation endpoints.

Critical key rotation

live

Supabase service-role, data-provider (Binance / CoinGecko), email-provider and Vercel cron secrets rotated after a routine audit; rotation cadence formalised.

Vulnerability disclosure

live

/.well-known/security.txt published per RFC 9116 - researchers can find the right contact in seconds.

Verifiable, not trusted

live

The method is open at /methodology, the live forward track record is recorded point-in-time at /track-record, and the engine output is a public read-only API at /docs - claims are checkable, not asserted.

On the roadmap

WebAuthn / passkey 2FA

roadmap

Phishing-resistant, origin-bound second factor (TouchID, Windows Hello, hardware key) - stronger than TOTP. Pro-tier launch.

Admin + engine action audit log

roadmap

Append-only log of every admin action and engine recalibration (actor, action, target, IP, timestamp) for forensic review. Q3 2026.

SOC2 Type I readiness

roadmap

Q4 2026 - control mapping + evidence collection, not the audit itself yet. Type II in 2027.

Bug-bounty programme

roadmap

Launch alongside Pro tier. Tiered payouts, scoped explicitly to ioxer.com production surface.

Reporting a vulnerability

Send findings to security@ioxer.com. Include the URL or endpoint, reproduction steps, and any proof-of-concept payload. We acknowledge within 48h, fix within 90 days for high-severity, and credit reporters who request it. Please do not run automated scanners against production beyond a single confirmation pass - you will hit our rate limits and trigger paging.

The machine-readable contact lives at /.well-known/security.txt per RFC 9116.

Security | Ioxer