Security Policy
Authentication
- Passwords hashed with bcrypt (cost factor 12)
- JWT session tokens with configurable secret
- Google Sign-In with verified ID tokens (when configured)
Media protection
Uploads are not publicly listable. Media requires authentication token, share token, or drop token to access.
Transport
HTTPS required in production. HSTS and security headers enabled.
Rate limiting
API, auth, upload, and reel generation endpoints are rate-limited to prevent abuse.
Account lockout
After 5 failed login attempts within 15 minutes, the account is temporarily locked. Successful login clears the counter.
Audit logging
Security events (login success/failure, lockouts) are logged server-side. The platform owner can review the security dashboard at /api/security/dashboard.
Production headers
HSTS, Content-Security-Policy, X-Frame-Options, nosniff, Referrer-Policy, and Cross-Origin policies are enabled in production.
Reporting vulnerabilities
Responsible disclosure: support@reelym.com. We aim to respond within 72 hours.
Your responsibilities
Use a strong unique password. Do not share your login token. Review family and share link permissions regularly.