security
Security at Anthracode.
We keep the website minimal, gate private routes server-side, and avoid storing secrets in the browser or repository.
current controls
- HTTPS enforced with HSTS on production.
- Authentication is handled through Supabase magic links and OAuth providers.
- Protected dashboard and profile routes require a verified server-side user.
- Optional analytics load only after cookie consent.
- Security headers are configured for content sniffing, framing, referrers, permissions, and CSP.
reporting
Please report vulnerabilities privately to security@anthracode.com. Include affected URL, impact, reproduction steps, and any relevant logs.
Do not access, modify, or delete data that is not yours. Do not run destructive tests against production systems.