Security at CiteFit

CiteFit runs on Vercel (globally distributed edge network) backed by Supabase (PostgreSQL on AWS eu-west-2). Traffic is proxied through Cloudflare, which provides DDoS mitigation, a web application firewall, and TLS termination before requests reach our servers.

We do not operate physical servers. Our infrastructure providers hold ISO 27001 and SOC 2 Type II certifications.

• In transit: All connections are encrypted with TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age including subdomains, preventing downgrade attacks.
• At rest: Database volumes are encrypted with AES-256. Backups are encrypted before being written to object storage.
• API keys: CiteFit API keys are stored as SHA-256 hashes only. The raw key is shown once at creation and never stored in plaintext.

CiteFit uses passkeys (WebAuthn) as the primary authentication mechanism. Passkeys are phishing-resistant by design — they are bound to the origin and rely on device biometrics or a hardware security key, with no shared secret ever transmitted to our servers.

A one-time-code magic-link is available as a fallback. Sessions use short-lived JWTs with automatic refresh. There are no passwords.

Every database query is subject to Row-Level Security (RLS) policies enforced at the database level. A user can only read or write rows that belong to their own account — there is no application-layer switch that can bypass this.

API access uses Bearer tokens validated against stored hashes. Each token is scoped to a single user and subject to the same RLS policies as the web session.

• Content Security Policy: A per-request nonce-based CSP with 'strict-dynamic' is applied to every HTML response, blocking inline script injection.
• CSRF protection: Mutating API requests require a double-submit CSRF token stored in a __Host- prefixed cookie (Secure, SameSite=Strict), validated with a timing-safe comparison.
• Rate limiting: All endpoints are rate-limited — IP-based for unauthenticated routes, user-based for authenticated routes — with Retry-After headers on 429 responses.
• Security headers: Every response includes X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a restrictive Permissions-Policy.

User-supplied content is screened for prompt injection before being sent to any AI provider, using a combination of a real-time content safety API and a synchronous in-process screen that catches jailbreak patterns with zero network latency.

User input is always placed in the user role and never interpolated into system prompts. Special characters and injection-prone sequences are stripped before embedding user data in LLM context.

Payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. CiteFit never receives, stores, or transmits raw card data — all payment information is tokenised by Stripe before it reaches our systems. Webhook payloads are verified by HMAC signature before being processed.

Security-relevant events are captured and alerted on in real time. We monitor for anomalous access patterns, rate-limit exhaustion, and authentication failures.

In the event of a confirmed security incident we will notify affected users within 72 hours in accordance with UK GDPR Article 33/34 obligations.

CiteFit is operated from the United Kingdom and processes personal data in accordance with UK GDPR. You can export all data associated with your account at any time from your account settings, and request deletion by contacting privacy@citefit.com.

See our Privacy Policy and Data Processing Agreement for full details.

How to report

Email security@citefit.com. Do not open a public GitHub issue for security problems. To help us triage quickly, please include:

• A description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any relevant URLs, request/response pairs, or screenshots
• Your suggested severity (Critical / High / Medium / Low)

Scope

In scope:

• citefit.com and all subdomains
• The CiteFit web application and its API endpoints
• Authentication and session-management flows

Out of scope:

• Denial-of-service attacks or volumetric testing
• Social engineering or phishing of CiteFit staff
• Physical security attacks
• Vulnerabilities in third-party services we rely on (report those to the relevant vendor)
• Automated scanner output without proof of exploitability

Our commitments

• Acknowledge receipt within 3 business days
• Provide an initial severity assessment and resolution timeline within 10 business days
• Notify you when the vulnerability has been fixed
• Credit you in our release notes (if you wish) once the issue is resolved

Safe harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they: avoid accessing, modifying, or deleting data that does not belong to them; do not disrupt our services or degrade user experience; and disclose findings to us before making them public (coordinated disclosure).

Encrypted reporting

If your report is sensitive, you may encrypt it using our PGP key, available at /.well-known/pgp-key.txt.