Skip to content

Security

Defence in depth, by design.

Last updated — February 2026

Architecture

InvestTracker is built with a security-first architecture. Your financial data is encrypted at rest and in transit, protected by strict access controls, and isolated so that no one — not other users, not third parties, not even us — can access your holdings.

Authentication

  • Secure authentication — user registration, login, and session management use industry-standard protocols. Passwords are hashed with bcrypt and never stored in plain text.
  • Server-side session validation — every authenticated request is verified server-side, calling the auth service directly rather than trusting the JWT alone.
  • Middleware protection — all dashboard routes are gated by middleware that checks session state before rendering.

Data isolation

Every database table is protected by strict access control policies. Queries are automatically scoped to the authenticated user, ensuring complete data isolation at the database layer — not just the application layer. One user cannot read or modify another user's data under any circumstances.

Administrative operations (cron jobs, bulk snapshots) use a separate privileged key with explicit authorisation checks and are never exposed to the client.

API route security

  • Cron endpoints — protected by a secret bearer token. If the secret is not configured, the endpoint returns a 500 and refuses to execute.
  • Export endpoints — verify user identity and confirm portfolio ownership before returning any data.
  • No public APIs — there are no unauthenticated endpoints that expose user data.

Transport security

  • All traffic between the client and server uses HTTPS / TLS.
  • Database connections use TLS-encrypted channels.
  • Third-party API calls (market data, email) are made over HTTPS from the server only — never from the browser.

HTTP security headers

The application sets the following security headers on every response:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Content-Security-Policy — restricts script sources, blocks framing, and limits connections to approved domains.

Data encryption

  • At rest — all data is encrypted at rest using AES-256.
  • In transit — all data is encrypted via TLS 1.2+ during transmission.
  • Credentials — passwords are hashed with bcrypt. API keys and secrets are stored as environment variables, never in source code or the database.

Dependency management

Dependencies are regularly audited. The application uses a locked dependency tree to prevent supply chain attacks from unverified package updates.

Responsible disclosure

If you discover a security vulnerability, please report it privately at support@investtracker.app. We take all reports seriously and will respond promptly. For details on how we handle your data, see our Privacy Policy.