Security at Project Tracker

• ✓bcrypt hashing (cost 12) — Your password is never stored in plain text. We store a bcrypt hash that is computationally infeasible to reverse.
• ✓Unique salts — Each password has a unique salt, so identical passwords produce different hashes. Rainbow table attacks are ineffective.
• ✓Server-side enforcement — Minimum password requirements are enforced on the server, not just the UI.
• ✓No reversible storage — We never store password hints, plain-text recovery codes, or any reversible representation of your password.

• ✓TOTP via Google Authenticator — Project Tracker supports time-based one-time passwords (RFC 6238) compatible with Google Authenticator, Authy, and any standard TOTP app.
• ✓Per-workspace enforcement — Workspace Admins can make 2FA mandatory for all members before accessing the workspace.
• ✓TOTP secrets encrypted at rest — Your authenticator secret key is stored encrypted in the database.
• ✓Admin 2FA reset — Admins can reset 2FA for any team member (e.g., lost phone). Super-admins can reset 2FA for entire workspaces.

• ✓HTTP-only cookies — Session tokens are stored in HTTP-only cookies, inaccessible to JavaScript and XSS attacks.
• ✓Secure flag — Cookies are only transmitted over HTTPS connections.
• ✓SameSite=Lax — Prevents CSRF by blocking cookies from being sent with cross-origin POST requests.
• ✓7-day expiry — Sessions automatically expire after 7 days of inactivity.

Every API endpoint that retrieves or modifies data includes a mandatory workspace_id filter derived from the authenticated server-side session — never from user-controlled input.

• ✓Session-bound workspace ID — The workspace a user belongs to is stored in their server-side session, not a URL parameter or client-side value that could be tampered with.
• ✓Cross-workspace query prevention — Even if an attacker obtained another workspace’s project ID, they could not use it to retrieve that workspace’s data.
• ✓Role enforcement at API layer — All permission checks happen on the server. The UI reflects permissions but the API enforces them independently.

Project Tracker defines six roles with progressively restricted permissions, all enforced server-side.

• ✓HTTPS/TLS 1.2+ — All traffic is encrypted. Unencrypted HTTP connections are redirected to HTTPS.
• ✓Encryption at rest — Database and file storage are encrypted at rest using AES-256.
• ✓HSTS — Strict-Transport-Security headers instruct browsers to only connect via HTTPS, preventing downgrade attacks.
• ✓Security headers — X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers are applied to every response.

• ✓Type validation — Uploaded files are validated server-side. Executable files are rejected.
• ✓150 MB size limit — Per-file upload limits prevent denial-of-service attacks.
• ✓Workspace-scoped access — Files are only accessible to members of the workspace that uploaded them.

• ✓Stored encrypted — Your Anthropic API key is stored encrypted within your workspace’s database record.
• ✓Never exposed to clients — The API key is never returned in any API response or visible in the browser.
• ✓Admin-only configuration — Only Workspace Admins and Managers can set or change the AI API key.
• ✓Immediate revocation — Removing the API key from Settings immediately disables all AI features.

• ✓Managed cloud infrastructure — Project Tracker runs on managed cloud infrastructure with automatic failover and DDoS protection.
• ✓Daily automated backups — Database backups are taken daily and retained for 30 days.
• ✓Dependency monitoring — Third-party library vulnerabilities are monitored and patches applied promptly.
• ✓Rate limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks.