Security at DeepVane is treated like math: the system is verifiable, not trusted. Every control below can be confirmed independently — sniff our HTTP headers, inspect the cookie flags, run our public diagnostics at /diag/engine. Nothing on this page is a marketing claim; everything has either a header, an endpoint, or a behaviour you can observe.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload — eligible for the Chromium HSTS preload list.
connect-src whitelist enumerates every external API the browser reaches; frame-ancestors none; object-src none; base-uri self; form-action self.
No third-party site can iframe DeepVane — defends against clickjacking on legacy browsers that do not honour CSP frame-ancestors.
Browsers must trust our Content-Type headers — kills MIME-sniff XSS vectors.
Outbound referrers carry only the origin, never the full URL — GDPR-friendly + cleaner third-party logs.
camera, microphone, geolocation, payment, usb, interest-cohort all disabled — supply-chain XSS cannot reach those APIs even if it breaches CSP.
User accounts, watchlists, alerts, virtual trades are stored in Supabase eu-west — GDPR Article 44 compliant, no third-country transfer.
Every /api/cron/* route requires a Bearer secret matching CRON_SECRET. Mismatched calls return 401 with no body — no enumeration leak.
Admin routes verify the caller has the admin flag in the user_profiles table — middleware short-circuits non-admins to /dashboard.
Auth cookies are HttpOnly + Secure + SameSite=Lax. The XSS that does steal a cookie cannot read it; CSRF is mitigated by SameSite.
Supabase service-role, Anthropic, FMP, Finnhub, Brevo, Vercel cron secrets all rotated 2026-04-19 after a routine audit. Rotation cadence formalised.
/.well-known/security.txt published per RFC 9116 — researchers can find the right contact in seconds.
/diag/engine runs 21 mathematical invariants against the Forward-Return Engine on every request. Anyone (including auditors) can verify the math has not regressed.
Token-bucket rate limiter on heavy public endpoints (portfolio optimization 30/min, backtest 30/min, scenarios 3/hour for anonymous + 5/day per authed user). Returns HTTP 429 with Retry-After header above threshold.
Q3 2026. TOTP first (every account), WebAuthn passkey second (Pro tier).
Replace the unsafe-inline / unsafe-eval allowance currently required for Next.js streaming. Q3 2026 — unblocks A+ on observatory.mozilla.org.
SameSite=Lax handles ~99% of cases today; explicit CSRF tokens follow before the public Pro launch.
Q4 2026 — control mapping + evidence collection, not the audit itself yet. Drumbeat to Type II in 2027.
Append-only Supabase table capturing every admin mutation + every engine recalibration. Q3 2026.
Launch alongside Pro tier. Tiered payouts, scoped explicitly to deepvane.com production surface.
Send findings to security@deepvane.com. Include the URL or endpoint, reproduction steps, and any proof-of-concept payload. We acknowledge within 48h, fix within 90 days for high-severity, and credit reporters who request it. Please do not run automated scanners against production beyond a single confirmation pass — you will hit our rate limits and trigger paging.
The machine-readable contact lives at /.well-known/security.txt per RFC 9116.