Security & Trust

Built to be
hard to break.

PulseAggregator applies defence-in-depth across every layer — from transport security and auth hardening to rate limiting and input sanitisation. Here's exactly what we do and why.

260k

PBKDF2 iterations

TLS 1.3

Transport only

72h

JWT expiry

64KB

Max body size

Security model

⬡Authentication

→JWT tokens — HS256, 72-hour expiry, signed with a 32+ char secret
→Passwords hashed with PBKDF2-SHA256 at 260,000 iterations
→API keys stored as SHA-256 hashes only — raw key shown once at creation
→Brute-force lockout: 15-minute ban after 10 failed login attempts

◈Transport & Headers

→TLS 1.3 enforced on all connections — HTTP redirects to HTTPS
→HSTS with 1-year max-age, includeSubDomains, preload
→X-Frame-Options: DENY — no clickjacking
→X-Content-Type-Options: nosniff
→Referrer-Policy: strict-origin-when-cross-origin
→Content-Security-Policy on every response
→Server and X-Powered-By headers stripped

◎Rate Limiting & Abuse

→Per-IP sliding-window rate limits on every endpoint
→Auth endpoints limited to 10 requests/minute
→Request body capped at 64 KB
→Path traversal guard on all requests — double-dots and double-slashes blocked
→IP blocklist — persistent offenders banned at middleware level

⬟Data & Infrastructure

→PostgreSQL with parameterised queries — no raw SQL interpolation
→Full-text search via tsvector — no external search engine exposure
→Pro-API endpoints gated by plan — API key scope validated on every request
→Article deduplication by SHA-256 content hash
→CORS restricted to explicit allow-list — no wildcard origins
→Crypto payments handled entirely by NOWPayments — no wallet or payment data stored on our servers

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please disclose responsibly — give us time to fix the issue before publishing details publicly.

Contactsupport@pulseaggregator.com

Response SLAWe aim to acknowledge reports within 48 hours.

Scopeapi.pulseaggregator.com and www.pulseaggregator.com

Out of scopeThird-party services, social engineering, physical attacks.

Report a vulnerability →

Our commitments

✓We never sell your data
Your email, usage, and article history stay on our servers.
✓We never store raw passwords
Only PBKDF2-SHA256 hashes are persisted.
✓We never log API keys
Only SHA-256 hashes are stored — the raw key is shown once.
✓We never expose internal errors
Stack traces and DB errors are never returned to clients.
✓We never cache sensitive responses
Auth and user endpoints set Cache-Control: no-store.
✓We never store payment data
Crypto payments are processed entirely by NOWPayments — no wallet addresses or transaction details are held on our servers.

Security & Trust

Built to be
hard to break.

PulseAggregator applies defence-in-depth across every layer — from transport security and auth hardening to rate limiting and input sanitisation. Here's exactly what we do and why.

260k

PBKDF2 iterations

TLS 1.3

Transport only

72h

JWT expiry

64KB

Max body size

Security model

⬡Authentication

→JWT tokens — HS256, 72-hour expiry, signed with a 32+ char secret
→Passwords hashed with PBKDF2-SHA256 at 260,000 iterations
→API keys stored as SHA-256 hashes only — raw key shown once at creation
→Brute-force lockout: 15-minute ban after 10 failed login attempts

◈Transport & Headers

→TLS 1.3 enforced on all connections — HTTP redirects to HTTPS
→HSTS with 1-year max-age, includeSubDomains, preload
→X-Frame-Options: DENY — no clickjacking
→X-Content-Type-Options: nosniff
→Referrer-Policy: strict-origin-when-cross-origin
→Content-Security-Policy on every response
→Server and X-Powered-By headers stripped

◎Rate Limiting & Abuse

→Per-IP sliding-window rate limits on every endpoint
→Auth endpoints limited to 10 requests/minute
→Request body capped at 64 KB
→Path traversal guard on all requests — double-dots and double-slashes blocked
→IP blocklist — persistent offenders banned at middleware level

⬟Data & Infrastructure

→PostgreSQL with parameterised queries — no raw SQL interpolation
→Full-text search via tsvector — no external search engine exposure
→Pro-API endpoints gated by plan — API key scope validated on every request
→Article deduplication by SHA-256 content hash
→CORS restricted to explicit allow-list — no wildcard origins
→Crypto payments handled entirely by NOWPayments — no wallet or payment data stored on our servers

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please disclose responsibly — give us time to fix the issue before publishing details publicly.

Contactsupport@pulseaggregator.com

Response SLAWe aim to acknowledge reports within 48 hours.

Scopeapi.pulseaggregator.com and www.pulseaggregator.com

Out of scopeThird-party services, social engineering, physical attacks.

Report a vulnerability →

Our commitments

✓We never sell your data
Your email, usage, and article history stay on our servers.
✓We never store raw passwords
Only PBKDF2-SHA256 hashes are persisted.
✓We never log API keys
Only SHA-256 hashes are stored — the raw key is shown once.
✓We never expose internal errors
Stack traces and DB errors are never returned to clients.
✓We never cache sensitive responses
Auth and user endpoints set Cache-Control: no-store.
✓We never store payment data
Crypto payments are processed entirely by NOWPayments — no wallet addresses or transaction details are held on our servers.

Built to behard to break.

Built to behard to break.

Built to be
hard to break.

Built to be
hard to break.