Security

Authentication & Access Control

• Passwords hashed with bcrypt (work factor 12)
• Optional two-factor authentication (TOTP) for all users
• Session tokens rotated on login; HTTPS-only secure cookies
• Role-based access: super admin, company admin, manager, driver
• Company data is hard-isolated by company_id on all database queries

Transport Security

• All connections enforced over TLS/HTTPS in production
• HTTP Strict Transport Security (HSTS) enabled
• Security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy

Application Security

• CSRF protection on all state-changing requests (Flask-WTF)
• Parameterized queries on all database operations (no SQL injection)
• Rate limiting on login, registration, and API endpoints
• File upload size limits and type validation
• JWT authentication for API access with configurable expiry

Infrastructure

• Hosted on DigitalOcean with automated backups
• Secrets and API keys stored as environment variables, never in code
• Stripe handles all payment card data (PCI compliant)

Reporting a Vulnerability

If you discover a security issue, please disclose it responsibly by contacting us through our contact form. We will respond within 48 hours.