Strict-Transport-Security: max-age=63072000; includeSubDomains; preload - eligible for the Chromium HSTS preload list.
connect-src whitelist enumerates every external API the browser reaches; frame-ancestors none; object-src none; base-uri self; form-action self.
No third-party site can iframe Framler - defends against clickjacking on legacy browsers that do not honour CSP frame-ancestors.
Browsers must trust our Content-Type headers - kills MIME-sniff XSS vectors.
Outbound referrers carry only the origin, never the full URL - GDPR-friendly + cleaner third-party logs.
camera, microphone, geolocation, payment, usb, interest-cohort all disabled - supply-chain XSS cannot reach those APIs even if it breaches CSP.
Primary user data — accounts, watchlists, alerts, virtual trades — is stored in Supabase eu-west (Frankfurt). Compute via Vercel and on-demand AI explanations via Anthropic may transit US subprocessors under Standard Contractual Clauses (SCCs) — see /privacy for the full subprocessor list and GDPR posture.
Every /api/cron/* route requires a Bearer secret matching CRON_SECRET. Mismatched calls return 401 with no body - no enumeration leak.
Admin routes verify the caller has the admin flag in the user_profiles table - middleware short-circuits non-admins to /dashboard.
Auth cookies are HttpOnly + Secure + SameSite=Lax. The XSS that does steal a cookie cannot read it; CSRF is mitigated by SameSite.
Supabase service-role, Anthropic, FMP, Finnhub, Brevo, Vercel cron secrets all rotated 2026-04-19 after a routine audit. Rotation cadence formalised.
/.well-known/security.txt published per RFC 9116 - researchers can find the right contact in seconds.
/coherence publishes structural invariants of the engine - BOCPD posterior summing to one, factor correlations bounded, weight constraints, breadth diagnostics - verifiable on every request. Behavioural invariants of the Forward-Return Engine run in admin-only diagnostics; summary results are surfaced on /coherence and /backtest.
Token-bucket rate limiter on heavy public endpoints (portfolio optimization 30/min, backtest 30/min, scenarios 3/hour for anonymous + 5/day per authed user). Returns HTTP 429 with Retry-After header above threshold.
Every admin route call writes a row to apex_audit_log: actor (id + email), action name, target, IP, user-agent, sanitised payload, response status. Append-only via service role; app users have no access. Indexes by ts / actor / action for forensic queries.
Double-submit cookie pattern (dv-csrf cookie + X-CSRF-Token header). Wired on watchlist, alerts, virtual-trades - all major user-mutation endpoints. Frontend goes through dvFetch() helper that auto-attaches the header. Layered with existing SameSite=Lax auth cookie.
TOTP via Supabase MFA (RFC 6238). Enrol on /settings: scan QR with Google Authenticator / Authy / 1Password, verify 6-digit code, done. Login flow checks AAL2 requirement post-password and routes to /auth/mfa-verify when 2FA is enabled. Secret never leaves Supabase storage.
Phishing-resistant second factor (TouchID, Windows Hello, hardware key). Stronger than TOTP because origin-bound. Pro tier launch.
Replace the unsafe-inline / unsafe-eval allowance currently required for Next.js streaming. Q3 2026 - unblocks A+ on observatory.mozilla.org.
Q4 2026 - control mapping + evidence collection, not the audit itself yet. Drumbeat to Type II in 2027.
Extend apex_audit_log to capture every engine recalibration (weight rebalance, conformal calibration, walk-forward run). Q3 2026.
Launch alongside Pro tier. Tiered payouts, scoped explicitly to framler.com production surface.
Send findings to security@framler.com. Include the URL or endpoint, reproduction steps, and any proof-of-concept payload. We acknowledge within 48h, fix within 90 days for high-severity, and credit reporters who request it. Please do not run automated scanners against production beyond a single confirmation pass - you will hit our rate limits and trigger paging.
The machine-readable contact lives at /.well-known/security.txt per RFC 9116.