Security

How we protect your data, your clients' data, and your business.

Authentication

Every API request is verified with JWT tokens issued by Supabase Auth. Sessions are validated server-side on every call, not just decoded.

Row-level security

Your data is isolated at the database level. PostgreSQL row-level security policies ensure each team can only access their own records.

Payment security

Payments are processed entirely through Stripe. We never see or store your card details. Stripe webhook signatures are cryptographically verified on every event.

Transport encryption

All traffic is encrypted with TLS. We enforce HSTS with a two-year max-age, including subdomains, with preload registration.

Rate limiting

Public-facing endpoints are rate-limited with sliding-window counters to prevent abuse. Booking widgets, contact forms, and token endpoints all have per-IP and per-session limits.

Content security policy

Strict CSP headers control which scripts, styles, and connections the browser is allowed to load, protecting against cross-site scripting.

OAuth protection

All third-party connections (Dropbox, Google Calendar, Stripe, Slack) use cryptographic state tokens that expire in 10 minutes and are single-use, preventing cross-site request forgery.

Your photographs

Current never stores your photos. Images stay in your Dropbox. We access them via temporary links for thumbnail generation only. We do not train AI on your images or share them with third parties.

Additional measures

✓All database queries use parameterized statements. No raw SQL from user input.
✓Soft-delete architecture means data is never permanently destroyed on accident.
✓API keys are SHA-256 hashed before storage.
✓Security headers include X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
✓Essential cookies only. No advertising trackers.

Found a vulnerability? Please report it to security@bookwithcurrent.com. We take every report seriously.