Our security flow

1) Prevention by default

• Secure transport and browser hardening headers on all responses.
• Same-origin validation for write API routes to reduce cross-site request abuse.
• Rate limiting on sensitive endpoints to protect against brute-force and automation spikes.
• Authenticated data access through Supabase Row Level Security policies.

2) In-product safety controls

• Profile and chat safety actions: ask, report, and block.
• Discover privacy controls including hidden and blocked lists in Settings.
• Moderation review flows with tagged reports for admin follow-up.

3) Continuous improvement

Before production launch on your new domain, we recommend adding two more layers:

• Strict Content Security Policy with nonces for inline scripts.
• Centralized audit logging for security-sensitive actions.