Security Policy

How we protect your account and memories

Authentication

  • Passwords hashed with bcrypt (cost factor 12)
  • JWT session tokens with configurable secret
  • Google Sign-In with verified ID tokens (when configured)

Media protection

Uploads are not publicly listable. Media requires authentication token, share token, or drop token to access.

Transport

HTTPS required in production. HSTS and security headers enabled.

Rate limiting

API, auth, upload, and reel generation endpoints are rate-limited to prevent abuse.

Account lockout

After 5 failed login attempts within 15 minutes, the account is temporarily locked. Successful login clears the counter.

Audit logging

Security events (login success/failure, lockouts) are logged server-side. The platform owner can review the security dashboard at /api/security/dashboard.

Production headers

HSTS, Content-Security-Policy, X-Frame-Options, nosniff, Referrer-Policy, and Cross-Origin policies are enabled in production.

Reporting vulnerabilities

Responsible disclosure: support@reelym.com. We aim to respond within 72 hours.

Your responsibilities

Use a strong unique password. Do not share your login token. Review family and share link permissions regularly.