Cloutfind is built and operated with a deliberately small attack surface. This page summarizes how we protect your data and what to do if you find a vulnerability.
Authentication
We use passwordless magic-link sign-in. There are no passwords to store, leak, or brute-force. Session tokens are stored in HttpOnly cookies and signed with HS256. Tokens expire after seven days.
Transport and infrastructure
- All traffic is served over TLS 1.2+ (HSTS preloaded).
- Nginx in front of the app strips headers used in known middleware-bypass attacks and applies a full response-header set: HSTS (1y + includeSubDomains + preload), Content-Security-Policy (self + Stripe iframes, no third-party scripts), X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a Permissions-Policy locking camera, microphone, geolocation, payment scope, and interest-cohort.
- The backend runs on a dedicated VPS isolated from any of our other products. The database is bound to localhost; no Postgres port is open to the public internet.
- Secrets (Stripe, Resend, AI provider) live only in the server's environment file (chmod 600). They never enter git, the frontend bundle, or client logs.
AI hardening
- Every AI endpoint is paid-tier-gated and per-org rate-limited. No unauthenticated traffic reaches the AI provider.
- User input is wrapped as untrusted data and the system prompt explicitly instructs the model to ignore role-override attempts.
- Output is sanitized for model-identity leakage before being returned to clients.
Payments
Card data is handled exclusively by Stripe. We never see, store, or proxy card numbers. Stripe webhooks are signature-verified and idempotently processed.
Responsible disclosure
If you find a security issue, please email security@cloutfind.com with reproduction steps. Do not exploit the issue, do not exfiltrate user data, and give us a reasonable window to fix before public disclosure. We acknowledge reports within 72 hours.