The security baseline for Veridion Markets.

Every connection to Veridion is encrypted in transit using TLS 1.3. HSTS is enforced with a 2-year max-age, includeSubDomains, and preload directive. The domain is registered for the HSTS preload list, so browsers refuse plain HTTP connections to veridionmarkets.com and any subdomain.

All user data is encrypted at rest using AES-256, including database storage and backups. Encryption keys are managed by the database provider, Supabase, using industry-standard key management.

• Passwords are salted and one-way hashed using a modern hashing algorithm. Plaintext passwords are never stored, transmitted to application servers, or logged.
• Session cookies are HttpOnly and SameSite=Lax. They are not accessible from JavaScript.
• Authentication state is verified server-side on every authenticated request. There is no client-side trust boundary.
• Rate limiting is enforced on every authentication endpoint to reduce credential-stuffing and brute-force attempts.

• Row-level security policies are enforced at the database layer. A signed-in user can only read or modify rows tagged with their own user ID.
• Administrative routes are gated by an explicit owner-email allowlist. Non-owner authenticated users receive a 404 response, not a 403, so administrative endpoints are not discoverable.
• API keys, service role tokens, and provider credentials are stored as environment variables in the hosting provider. They are not committed to source control.

• Content Security Policy is enforced on every response: default-src self, with narrow allowlists for scripts, styles, fonts, images, and connect targets. The policy is reviewed at every CSP-affecting change.
• X-Content-Type-Options: nosniff reduces MIME-type sniffing risk.
• X-Frame-Options: SAMEORIGIN reduces clickjacking risk.
• Referrer-Policy: strict-origin-when-cross-origin reduces URL-based leakage to third parties.
• Permissions-Policy disables camera, microphone, geolocation, and federated-cohort features the application does not use.
• The deploy pipeline runs an automated check-no-leaks gate before any release reaches production. The gate scans for unsupported regulatory claims, placeholder data, hardcoded fake-data structures, technology-stack disclosures in marketing surfaces, accidentally committed API keys, service-role-key anon-fallback regressions, and an explicit allowlist of dangerous patterns.

• A production smoke test runs four times daily against critical public routes and a representative ticker sample. Smoke-test failures alert the operator within minutes.
• Application errors are captured by Sentry with stack traces. Personal data is scrubbed before transmission to the error monitor.
• A per-ticker diagnostic tool allows the operator to probe any covered symbol against ten reliability checks in seconds.
• Deploys are atomic. A failed deploy does not partially update production. The prior version remains live until the new build is fully promoted.
• A GitHub Actions security scan runs on every push and pull request: gitleaks for secret detection, npm audit for known vulnerabilities, semgrep with security-audit and OWASP top-ten rule packs, the project's own check-no-leaks gate, and the full test suite.