Security
CARBN.ZONE takes your data security seriously. Our infrastructure is regularly tested against industry-standard security benchmarks.
A+
Security Headers
Snyk (securityheaders.com)
CSP, HSTS, X-Frame-Options, and all recommended headers enforced
View report →WHAT WE PROTECT
Strava OAuth 2.0
Secure token-based authentication
Encrypted at rest
All data encrypted in Supabase PostgreSQL
HTTPS only
TLS 1.3 encryption for all connections
No tracking
No third-party analytics or ad trackers
Token auto-refresh
Strava tokens refreshed automatically
Row-level security
Database policies isolate user data
Rate limited API
All API endpoints protected against abuse (2–30 req/min)
Nonce-based CSP
Per-request nonce — inline scripts blocked at browser level
CSRF protection
Origin header verified on all state-changing requests
XSS-safe rendering
No dangerouslySetInnerHTML — user data never injected raw
API SECURITY
Authentication
Every API route validates a NextAuth session before executing. No session → 401.
Rate Limiting
Token-bucket limiter on all endpoints (2–30 req/min per IP). Responses include Retry-After and X-RateLimit-* headers per RFC 6585.
CSRF Protection
Origin header verified against the allowed origins list on every POST, PATCH, PUT, and DELETE request. Cross-origin requests receive 403.
Content Security Policy
Nonce-based CSP generated per request in Edge middleware. Eliminates unsafe-inline and unsafe-eval from script-src.
XSS Audit
Full codebase search for dangerouslySetInnerHTML, __html, and innerHTML — none found. User-supplied content is never injected as raw HTML.
Row-Level Security
Supabase RLS policies enforce data isolation at the database level — independent of application-layer auth.
LAST AUDITEDApril 2026