Strict-Transport-Security: max-age=63072000; includeSubDomains; preload - eligible for the Chromium HSTS preload list.
A fresh per-request nonce with strict-dynamic; connect-src enumerates every external API the browser may reach; frame-ancestors none; object-src none; base-uri self; form-action self. Only the public homepage gets a narrowly-relaxed policy for its WebGL scene - every authenticated surface stays strict.
No third-party site can iframe Ioxer - defends against clickjacking on legacy browsers that do not honour CSP frame-ancestors.
Browsers must trust our Content-Type headers - kills MIME-sniff XSS vectors.
Cross-site requests send only the origin (never the full URL); same-origin keeps the path. GDPR-friendly + cleaner third-party logs.
camera, microphone, geolocation, payment, usb, interest-cohort all disabled - supply-chain XSS cannot reach those APIs even if it breaches CSP.
The calibration constants are not exposed on the public API or the public database key: /api/iox returns scores, probabilities and the funding read only - never the calibration weights; direct database access with the public key is denied by row-level security. Checked by an internal automated probe — not an external security audit.
Primary user data — accounts and saved data — is stored in Supabase eu-west (Frankfurt). Compute via Vercel may transit US subprocessors under Standard Contractual Clauses (SCCs) — see /privacy for the full subprocessor list and GDPR posture.
Every /api/cron/* route requires a Bearer secret matching CRON_SECRET. Mismatched calls return 401 with no body - no enumeration leak.
Admin pages and /api/admin/* require a session whose email is in ADMIN_EMAILS; non-admins receive a 404 so the admin surface stays unmapped, and the gate fails closed on errors. 2FA (AAL2) is enforced for admins who have enrolled it — requiring AAL2 for every admin regardless of enrollment is on the roadmap.
Scripted user-agents are blocked on anonymous public APIs and auth forms, backed by an in-memory ~60-req/min limit per IP on each edge instance (HTTP 429 above threshold; we pair it with platform-level controls for hard limits). Legitimate crons bypass via a constant-time Bearer check.
Auth cookies are HttpOnly + Secure + SameSite=Lax. The XSS that does steal a cookie cannot read it; CSRF is mitigated by SameSite.
Double-submit cookie pattern (dv-csrf cookie + X-CSRF-Token header), set in middleware and layered on the SameSite=Lax auth cookie, on account and auth mutation endpoints.
Supabase service-role, data-provider (Binance / CoinGecko), email-provider and Vercel cron secrets rotated after a routine audit; rotation cadence formalised.
/.well-known/security.txt published per RFC 9116 - researchers can find the right contact in seconds.
The method is open at /methodology, the live forward track record is recorded point-in-time at /track-record, and the engine output is a public read-only API at /docs - claims are checkable, not asserted.
Phishing-resistant, origin-bound second factor (TouchID, Windows Hello, hardware key) - stronger than TOTP. Pro-tier launch.
Append-only log of every admin action and engine recalibration (actor, action, target, IP, timestamp) for forensic review. Q3 2026.
Q4 2026 - control mapping + evidence collection, not the audit itself yet. Type II in 2027.
Launch alongside Pro tier. Tiered payouts, scoped explicitly to ioxer.com production surface.
Send findings to security@ioxer.com. Include the URL or endpoint, reproduction steps, and any proof-of-concept payload. We acknowledge within 48h, fix within 90 days for high-severity, and credit reporters who request it. Please do not run automated scanners against production beyond a single confirmation pass - you will hit our rate limits and trigger paging.
The machine-readable contact lives at /.well-known/security.txt per RFC 9116.