Security

Last updated: 1 May 2026.

Authentication

Sign-in is handled by Firebase Authentication. We support email + password and Google SSO. Passwords are required to be at least 8 characters and cannot be ones that have appeared in known public breaches (we use the HaveIBeenPwned k-anonymity API). Server sessions are HttpOnly, Secure, and SameSite-Lax cookies.

Transport and storage

All traffic is HTTPS with HSTS. Documents are stored in Firebase Cloud Storage; structured data lives in Firestore. Access is scoped to the signed-in user's organization at the data layer and at the API layer.

Headers and browser hardening

Production responses set a strict Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, a Referrer-Policy of strict-origin-when-cross-origin, and a Permissions-Policy that disables camera, microphone, geolocation, and FLoC. Cookies for cross-site requests require an X-Requested-With header.

Payments

We do not store card numbers. Buyer payments are processed by Razorpay; we keep only the order/payment IDs and status returned by their webhook (which we verify with HMAC).

Reporting a vulnerability

Please email security@rfppro.in with the steps to reproduce. We will acknowledge within 72 hours.