Security And Access

Transport Security

Internet deployments enforce HTTPS behind a reverse proxy with forwarded header validation and HSTS support.

Authentication

Browser access uses form login with CSRF protection and explicit logout. API endpoints require authenticated access.

Credential Handling

Mailbox credentials are encrypted at rest. Owners can disconnect access at any time to remove stored mailbox credentials.

Operational Protection

Rate limits are applied to login, mailbox connection tests, manual sync triggers, and invite provisioning.

Browser security headers

The browser UI sends a Content-Security-Policy, Referrer-Policy, Permissions-Policy, CSRF protection and clickjacking protection.

Secret management

Production secrets are supplied through environment variables or a secret store, with separate database, object storage, mailbox encryption and provisioning keys.

Security contact: security@pecpilot.com