Stacktora / Security
Security & Trust
We're an early-stage company. We haven't pursued formal certifications like SOC 2 yet — that's honest, not evasive, and we'd rather tell you exactly what's real today than lean on a badge. Here's what actually happens when you use Stacktora.
Your account
- Passwords are hashed with bcrypt before they ever touch the database — we cannot see, recover, or email you your password, because we don't have it. Only a verifier can check it, not us.
- Password reset links are single-use, expire in 60 minutes, and the token itself is hashed in storage — not saved as plain text.
- Login and account creation are rate-limited to slow down automated abuse and brute-force attempts.
- Session cookies are marked
HttpOnly(invisible to JavaScript, including any malicious script that might get injected) andSameSite=Lax(limits cross-site request abuse), and markedSecurewhenever the connection is HTTPS. - Optional two-factor authentication (TOTP, the standard authenticator-app code) is available on every account, with one-time backup codes for recovery if you lose your device.
Every request that changes something
- State-changing requests (saving a stack, submitting a recipe, changing account settings) require a CSRF token tied to your session — a malicious site cannot silently take actions on your behalf.
- Every database query in the codebase uses parameterized queries, not string-built SQL — the standard, effective defense against SQL injection.
The Vault & public submissions
- Every submitted recipe is validated against a strict schema server-side before it's even stored — malformed or malicious payloads are rejected outright, not sanitized-and-hoped-for.
- Nothing submitted to the Vault goes live automatically. A human reviews and approves every single recipe before the public ever sees it.
- Submissions are capped per account to keep the review queue from being floodable.
- Public attribution ("by @username" on your submissions) is entirely opt-in — nothing about your account is public by default, and you can set or clear a username anytime.
What we're not claiming
We don't have SOC 2, ISO 27001, or a third-party security audit yet, and we don't currently offer hard account lockouts after failed logins — only rate-limiting. If any of that changes, this page will change with it. If you have a specific security question this page doesn't answer, ask us directly: support@stacktora.com.
