Infrastructure

Security

How we protect your data and your users.

Architecture Overview

EthericLink is built with a separated frontend/backend architecture. The frontend (Next.js) handles UI only. All business logic, authentication, and data access runs on an Express.js backend that is never exposed to the browser.

Authentication

passkey

OAuth Only

We use GitHub and Google OAuth. No passwords are ever stored or transmitted through our system.

cookie

Secure Sessions

HTTP-only, secure cookies with SameSite policy. Sessions expire after 7 days of inactivity.

Data Protection

enhanced_encryption

Encryption in Transit

All connections use TLS/HTTPS. No data is transmitted in plaintext.

fingerprint

IP Hashing

Visitor IPs are hashed with SHA-256 before storage. We cannot reverse them to identify individuals.

shield

Row-Level Security

Supabase RLS policies ensure users can only access their own data. The service role key is backend-only.

delete_sweep

Auto-Cleanup

Guest links and all associated analytics are automatically purged after expiration.

Rate Limiting & Abuse Prevention

ProtectionLimitScope
Guest link creation10 per hourPer IP
Redirect requests100 per minutePer IP
Sliding window algorithmRedis-backedDistributed

Infrastructure

  • Database: Supabase (PostgreSQL) with encrypted storage at rest
  • Cache: Upstash Redis (TLS-encrypted, HTTP-based)
  • Backend: Express.js with Helmet security headers, CORS whitelisting, and trust proxy configuration
  • Frontend: Next.js on Vercel with automatic HTTPS and edge CDN

Security Headers

Our backend uses helmet to set the following security headers on every response:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 0 (modern CSP preferred)
  • Strict-Transport-Security (HSTS in production)
  • Content-Security-Policy defaults

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@ethericlink.io. We will acknowledge your report within 48 hours and work with you to understand and address the issue.

Please do not publicly disclose the vulnerability until we have had a chance to address it.