Security
Last updated: April 5, 2026
1. Transport Security
All data transmitted between your browser and Laurels is encrypted using TLS 1.2 or higher. We enforce HTTPS across all domains including subdomains, with HTTP Strict Transport Security (HSTS) headers set with a one-year max-age and the includeSubDomains directive.
2. Data Encryption at Rest
Sensitive credentials — including GitHub OAuth access tokens — are encrypted at rest using AES-256-GCM before being stored in the database. Encryption keys are stored separately from the data they protect and are never exposed in application logs.
3. Authentication
User authentication is handled by Supabase Auth, which implements industry-standard JWT-based sessions. Passwords are hashed using bcrypt. We support OAuth sign-in via GitHub and Google. Session tokens are validated server-side on every authenticated request — we do not rely solely on client-side session data.
4. Payment Security
All payment processing is handled by Stripe. Laurels never stores, transmits, or has access to full card numbers, CVV codes, or other sensitive payment data. Stripe webhook events are verified using HMAC signature validation before processing. Webhook idempotency is enforced to prevent duplicate processing.
5. OAuth Token Security
GitHub OAuth tokens connected to your account are encrypted using AES-256-GCM before storage. When you disconnect your GitHub account, the token is immediately revoked via GitHub's token revocation API and deleted from our database. We request only the minimum OAuth scopes required: user:email, read:user, and public_repo.
6. Access Control
Our database uses Row-Level Security (RLS) policies enforced at the database layer, ensuring users can only access their own data. Administrative operations use a service role client that is strictly isolated to server-side code and never exposed to the client. All API routes validate authentication before processing requests.
7. Rate Limiting and Abuse Prevention
Public-facing endpoints including the contact form and widget configuration API are rate-limited per IP address. The contact form includes honeypot bot detection and strict input validation. All user inputs are sanitised to prevent XSS injection.
8. Security Headers
All responses include the following security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin, and a Content Security Policy in production environments.
9. Infrastructure
Laurels is hosted on Vercel's edge infrastructure with automatic DDoS protection. Media files are stored on Cloudinary with signed URL delivery. Database infrastructure is managed by Supabase with automated backups and point-in-time recovery.
10. Vulnerability Disclosure
We operate a responsible disclosure programme. If you discover a security vulnerability, please report it to security@laurels.pro. We commit to acknowledging reports within 72 hours and resolving confirmed vulnerabilities within 30 days. We ask that you do not publicly disclose vulnerabilities until we have had the opportunity to address them.
11. Dependency Management
We regularly audit our npm dependencies for known vulnerabilities and maintain a policy of keeping all production dependencies up to date. Critical security patches are applied within 24 hours of disclosure.