Security
Proprelay handles property ownership, transfers, billing, and integration credentials. We treat security as an ongoing program, not a one-time launch task.
Responsible disclosure
If you believe you have found a security vulnerability, please report it privately. Include steps to reproduce, affected URLs or APIs, and your assessment of impact.
Contact: security@proprelay.app
Machine-readable policy: /.well-known/security.txt
What we protect
- Authentication and session handling via Supabase with edge session refresh.
- Row-level security on property data; integration secrets in a dedicated table.
- Stripe webhook signature verification, idempotency, and amount checks.
- CSRF origin checks on mutating API routes; SSRF guards on user-supplied URLs.
- Rate limiting on auth surfaces and APIs (distributed when Redis is configured).
Program
Dependency audits, lint, and secret scanning run on every pull request. Security headers use a strict Content Security Policy with Subresource Integrity in production. See SECURITY.md in the repository for the full checklist and launch runbook.