Skip to main content
7BBusyBoss
← Home

Security

How we protect your data and how to tell us if you find a problem.

How we protect the site

  • Transport security: HTTPS everywhere with HSTS preload (2-year max-age, includeSubDomains).
  • Content Security Policy: per-request nonce on every inline script. Strict script-src with strict-dynamic blocks unknown scripts.
  • Frame protection: the site cannot be iframed on third-party origins.
  • Sandboxed tool runners: AI-generated tool code runs inside srcDoc iframes that cannot read cookies, localStorage, or the parent DOM.
  • CSRF protection: server actions verify same-origin; mutating API routes verify the Origin header.
  • Cookies: all session cookies are HttpOnly + Secure + SameSite=Strict.
  • Admin login: rate-limited (5 attempts / 15 min / IP), constant-time password compare, every attempt audit-logged.
  • Database access: parameterised queries via Prisma. No raw user-supplied SQL.
  • Rate limiting: Upstash Redis on every mutation endpoint.
  • Audit trail: every privileged action recorded with actor, IP, timestamp, target.
  • Webhook security: incoming payment webhooks (when shipped) require HMAC-SHA-256 signature verification with a 5-minute replay window.

Where we host things

  • Vercel — application hosting, edge network, DDoS protection.
  • Neon — PostgreSQL database. Encrypted at rest and in transit.
  • Upstash — Redis for rate limiting + admin settings.
  • Resend — outbound transactional email. DKIM + SPF + DMARC configured.
  • Google — OAuth (Sign in with Google) and Tag Manager / Analytics.
  • OpenRouter — routes requests to AI providers (Anthropic, Google, OpenAI, etc.) for the AI Builder and prompt runner.

Full details, including data flows for each vendor, are in our Privacy Policy.

Reporting a vulnerability

Found something? Email support@7busyboss.com with the subject prefix SECURITY: followed by a one-line summary.

In your report, please include:

  • The URL and a clear reproduction (curl, screenshot, or video — whatever is fastest)
  • The impact you believe this has (information disclosure, account takeover, denial of service, etc.)
  • Whether you accessed any data that wasn't your own
  • How we can credit you publicly (or whether you'd prefer to stay anonymous)

Our commitment

  • Acknowledgement within 48 hours.
  • First remediation update within 7 days.
  • A coordinated disclosure window of 90 days from initial report.
  • Public credit in this page's Hall of Fame (below) unless you ask us not to.

Safe-harbour

We won't pursue legal action against good-faith security research that:

  • Tests only your own accounts and data.
  • Avoids degrading service for others (no DoS, no automated scraping of user PII).
  • Reports findings to us before public disclosure.
  • Does not access, modify, or destroy data that isn't yours.

Out of scope

The following don't qualify as vulnerabilities here:

  • Missing security headers without a demonstrable exploit chain.
  • Self-XSS that requires the victim to paste code into their console.
  • Vulnerabilities affecting only out-of-date browsers (we support evergreen + last 2 majors).
  • Reports from automated scanners with no manual validation.
  • Issues in third-party services we use (please report to the vendor directly).
  • SPF / DKIM / DMARC misconfigurations on subdomains that don't send email.

Hall of fame

No reports yet. Yours could be the first.

See also: /.well-known/security.txt · Privacy policy · Terms