Security
Last updated: June 25, 2026
01Encryption in transit
All traffic between your device, the app, and our servers is encrypted with HTTPS/TLS. We send a strict Strict-Transport-Security (HSTS) header so browsers refuse to connect over plain HTTP.
02Encryption at rest
The most sensitive content — private chat messages (and their attachments) and check-in answers (which can contain health information) plus their AI summaries — is encrypted in the database with AES-256-GCM. Each value uses a fresh random IV and an authentication tag, so identical inputs encrypt differently and any tampering is detectable. This keeps that data unreadable to anyone with raw database access (a dump, a backup, or a leaked connection string).
03Passwords
Passwords are never stored in plain text. They are hashed with bcrypt (a slow, salted algorithm built for passwords), so even we cannot read them — and a database leak does not expose them.
04Access control — your data stays yours
Every request is authenticated with short-lived JSON Web Tokens and authorized on the server. A coach can only ever reach their own clients; a client can only ever reach their own data. These ownership checks run on the server for each request, so the rules can't be bypassed from a modified app or a crafted API call.
05Defense against abuse
- Rate limiting: login, sign-up, and password endpoints are throttled per IP to stop brute-force and credential-stuffing attacks; a wider limit protects every other route from scraping and denial-of-service.
- Hardened HTTP headers: a strict Content-Security-Policy,
X-Frame-Options: DENY(no clickjacking),nosniff, and a locked-down permissions policy. - Origin allowlist (CORS): only our own apps may call the API from a browser.
- Capped queries: list endpoints cap how much can be requested at once, so the database can't be overloaded.
06Secure configuration
The server refuses to start in production with a missing, weak, or default signing secret — a misconfiguration can't silently put the platform at risk. Access and refresh tokens use separate secrets.
07Responsible disclosure
Found a vulnerability? Please report it privately to official.kareem.ahmed@gmail.com before disclosing it publicly. We'll acknowledge your report and work with you on a fix. We're grateful to researchers who help keep coaches and athletes safe.
See also our Privacy Policy and Licenses & attributions.
© 2026 CoachFlow · Elite Athletics. All rights reserved.
