Security

Transport & authentication

All API traffic is forced over HTTPS with TLS 1.2+ (modern ciphers only).
Authentication uses HttpOnly + Secure session cookies — JavaScript on the page cannot read them, eliminating an entire class of token-theft attacks.
JWTs are signed with HS256 and decoded with the algorithm pinned (no algorithm-downgrade attack surface).
Every JWT is bound to a server-side session row; signing out, revoking a session, or being blocked instantly invalidates all tokens for that session — even unexpired ones.

Database is hosted in a private network; not directly reachable from the internet.
All free-text input (notes, tasks, highlight notes) is sanitised server-side before storage to prevent stored-XSS — see our security spec for details.
Server logs contain only counts and IDs — never the body of your notes, tasks, or highlights.
Soft-deletes are purged within 30 days; revoked sessions cleaned daily.

Every API endpoint filters rows by your user ID derived from the JWT — cross-user lookups return 404 (we never reveal that another user's resource exists).
Mass-assignment protection on every PATCH endpoint (extra="forbid" + explicit allow-list of editable fields).
Per-user, per-plan rate limits on write endpoints, backed by Redis with atomic Lua scripts.
Strict OWASP audit on every new feature before release.

Chrome MV3 with a strict Content Security Policy.
Zero third-party JavaScript dependencies — every line of code in the extension is in-tree, eliminating supply-chain risk.
Content scripts run in an isolated world from the host page.
Auto-disabled on a built-in list of sensitive domains (banking, crypto wallets & exchanges, payment gateways, cloud admin consoles, stock-trading platforms) — see Privacy for details.

Sign-in via Google OAuth — your Google account's 2FA, recovery, and security alerts apply.
You can list active sessions and revoke any of them at any time.
Account block / unblock is reflected immediately across all sessions.
Self-service account deletion within 7 days — see Privacy > Your controls.

Found a security issue? We appreciate responsible disclosure. Please:

Email vietanhbkaaa@gmail.com with subject "Security Disclosure".
Give us a reasonable window (≥7 days) to triage and fix before public disclosure.
Do not access, modify, or delete data that does not belong to you.
Avoid automated scans that could degrade the service for other users.

We do not currently run a paid bounty programme, but we publicly credit reporters (with consent) for valid findings.