// security.txt

SECURITY

This page is maintained by the operator of gpta.dev. It describes controls enabled on the app and is not an independent certification.

[ access control ]

  • shared-passphrase site-gate on every non-public route
  • separate admin passphrase required for admin dashboard
  • encrypted, http-only, same-site session cookies (7-day ttl)
  • timing-safe passphrase comparison (sha-256 digest compare)

[ transport & storage ]

  • tls 1.2+ for all traffic; hsts enforced by host
  • row-level security enabled on every user-data table
  • service-role credentials never shipped to the browser
  • secrets stored in encrypted secret store; never in source

[ hardening ]

  • no third-party analytics or trackers
  • minimal public surface: 4 static pages, 1 login endpoint
  • rate-limited login with server-side delay on failure
  • content-security via same-origin defaults

[ what we don't do ]

GPTA does not claim SOC 2, ISO 27001, HIPAA, PCI DSS, or GDPR certification. It is a personal / small-team tool. Do not use it to process regulated data unless you have your own compliance program.

[ responsible disclosure ]

Found a vulnerability? Please email security@gpta.dev with steps to reproduce. Do not disclose publicly until a fix has shipped. No bounty is offered, but credit is available on request.