Security

Infrastructure

• Vercel (Frankfurt) for the application edge
• Railway managed Postgres with daily snapshots + point-in-time recovery
• TLS 1.3 everywhere (Let's Encrypt, auto-rotated)
• Strict CSP, HSTS, X-Frame-Options DENY on all responses

Authentication

• Email verification required before login
• JWT in HttpOnly cookies, 24-hour expiry, SameSite=None+Secure in production
• Per-IP rate limiting on login + register
• bcrypt password hashing (cost factor 12)
• Optional Google + Telegram OAuth as additional sign-in methods (planned Q2 2026)

Data at rest

• Bot tokens encrypted with Fernet (AES-128 in CBC + HMAC-SHA256) keyed off WEB_SECRET_KEY
• Postgres encryption at rest (managed by Railway)
• Backups encrypted, retained 30 days

Audit & monitoring

• Every mutating action writes to immutable audit log (username, action, resource, IP, timestamp)
• Failed-login alerts via Sentry (configurable)
• Cross-region health checks every 60 seconds

Responsible disclosure

Found a vulnerability? Email security@myskua.com. We respond within 24 hours and credit reporters in our security hall of fame.