Security
Security Overview
The controls PulseForge uses to protect account data, billing operations, monitoring infrastructure, and API access.
PulseForge applies layered security across identity, traffic, runtime, billing, and dashboard access. We continue hardening the platform as features ship and usage scales.
Data Protection
- Encrypted transport between browser, API, and payment systems.
- Restricted secret handling through environment-based configuration.
- Input validation and controlled request handling across critical routes.
Platform Hardening
- Origin restrictions for production traffic.
- Manual endpoint test rate limiting to reduce abuse risk.
- Security headers for framing, sniffing, transport, and browser policy control.
- Monitored worker deployment with production D1-backed billing state.
Identity and Access
- Firebase-backed authentication and token verification.
- Protected dashboard routes and authorization headers on API calls.
- Billing actions gated behind authenticated user context.
- Stored API keys masked in dashboard views.
Operational Practices
- Lint, typecheck, and production build validation before release.
- Secret scanning in CI for pushed changes.
- Dependency review and rollout checks for worker/frontend updates.
Responsible Disclosure Expectations
If you discover a security issue, we ask that you report it privately, avoid public disclosure until remediation is complete, and do not access data that is not yours or attempt disruptive exploitation.
Reports that include reproduction steps, impact summary, and affected routes or environments help us resolve issues faster.