Security & Trust

Built to be
hard to break.

PulseAggregator applies defence-in-depth across every layer — from transport security and auth hardening to rate limiting and input sanitisation. Here's exactly what we do and why.

100k+

Hash iterations

TLS 1.3

Transport only

Days

JWT expiry

Capped

Max body size

Security model

⬡Authentication

→JWT tokens with secure signing and limited expiry
→Passwords hashed with strong key-derivation function
→API keys stored as hashes only — raw key shown once at creation
→Brute-force lockout with escalating thresholds per-email and per-IP
→Requires email verification before account activation
→Unverified accounts are automatically purged after a grace period
→2FA (TOTP) setup blocked until email is verified

◈Transport & Headers

→TLS 1.3 enforced on all connections — HTTP redirects to HTTPS
→Strict HSTS with long max-age, includeSubDomains, preload
→X-Frame-Options: DENY — no clickjacking
→X-Content-Type-Options: nosniff
→Referrer-Policy: strict-origin-when-cross-origin
→Content-Security-Policy on every response
→Server and X-Powered-By headers stripped

◎Rate Limiting & Abuse

→Per-IP sliding-window rate limits on every endpoint
→Stricter limits on authentication endpoints
→Request body size capped to prevent abuse
→Path traversal guard on all requests — double-dots and double-slashes blocked
→IP blocklist — persistent offenders banned at middleware level

⬟Data & Infrastructure

→PostgreSQL with parameterised queries — no raw SQL interpolation
→Full-text search via indexed database — no external search engine exposure
→Pro endpoints gated by plan — API key scope validated on every request
→Article deduplication by content hash
→CORS restricted to explicit allow-list — no wildcard origins
→Payments handled entirely by PayPal — no payment card or financial data stored on our servers

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please disclose responsibly — give us time to fix the issue before publishing details publicly.

Contactsupport@pulseaggregator.com

Response SLAWe aim to acknowledge reports within 48 hours.

Scopeapi.pulseaggregator.com and www.pulseaggregator.com

Out of scopeThird-party services, social engineering, physical attacks.

Report a vulnerability →

Our commitments

We never sell your data
Your email, usage, and article history stay on our servers.
We never store raw passwords
Only strong password hashes are persisted.
We never log API keys
Only hashes are stored — the raw key is shown once.
We never expose internal errors
Stack traces and DB errors are never returned to clients.
We never cache sensitive responses
Auth and user endpoints set Cache-Control: no-store.
We never store payment data
Payments are processed entirely by PayPal — no payment card details or financial information are held on our servers.
We enforce email verification
Accounts are inactive until the email is verified. Unverified accounts are automatically removed after a grace period.

Security & Trust

Built to be
hard to break.

PulseAggregator applies defence-in-depth across every layer — from transport security and auth hardening to rate limiting and input sanitisation. Here's exactly what we do and why.

100k+

Hash iterations

TLS 1.3

Transport only

Days

JWT expiry

Capped

Max body size

Security model

⬡Authentication

→JWT tokens with secure signing and limited expiry
→Passwords hashed with strong key-derivation function
→API keys stored as hashes only — raw key shown once at creation
→Brute-force lockout with escalating thresholds per-email and per-IP
→Requires email verification before account activation
→Unverified accounts are automatically purged after a grace period
→2FA (TOTP) setup blocked until email is verified

◈Transport & Headers

→TLS 1.3 enforced on all connections — HTTP redirects to HTTPS
→Strict HSTS with long max-age, includeSubDomains, preload
→X-Frame-Options: DENY — no clickjacking
→X-Content-Type-Options: nosniff
→Referrer-Policy: strict-origin-when-cross-origin
→Content-Security-Policy on every response
→Server and X-Powered-By headers stripped

◎Rate Limiting & Abuse

→Per-IP sliding-window rate limits on every endpoint
→Stricter limits on authentication endpoints
→Request body size capped to prevent abuse
→Path traversal guard on all requests — double-dots and double-slashes blocked
→IP blocklist — persistent offenders banned at middleware level

⬟Data & Infrastructure

→PostgreSQL with parameterised queries — no raw SQL interpolation
→Full-text search via indexed database — no external search engine exposure
→Pro endpoints gated by plan — API key scope validated on every request
→Article deduplication by content hash
→CORS restricted to explicit allow-list — no wildcard origins
→Payments handled entirely by PayPal — no payment card or financial data stored on our servers

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please disclose responsibly — give us time to fix the issue before publishing details publicly.

Contactsupport@pulseaggregator.com

Response SLAWe aim to acknowledge reports within 48 hours.

Scopeapi.pulseaggregator.com and www.pulseaggregator.com

Out of scopeThird-party services, social engineering, physical attacks.

Report a vulnerability →

Our commitments

We never sell your data
Your email, usage, and article history stay on our servers.
We never store raw passwords
Only strong password hashes are persisted.
We never log API keys
Only hashes are stored — the raw key is shown once.
We never expose internal errors
Stack traces and DB errors are never returned to clients.
We never cache sensitive responses
Auth and user endpoints set Cache-Control: no-store.
We never store payment data
Payments are processed entirely by PayPal — no payment card details or financial information are held on our servers.
We enforce email verification
Accounts are inactive until the email is verified. Unverified accounts are automatically removed after a grace period.

Built to behard to break.

Built to behard to break.

Built to be
hard to break.

Built to be
hard to break.