Security

• In transit: All connections use TLS 1.2/1.3 encryption. No unencrypted HTTP traffic is accepted.
• At rest: Database storage is encrypted via AES-256 through our database provider (Neon PostgreSQL).
• Passwords: Hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
• MFA secrets: Authenticator secrets are encrypted at rest using AES-256-GCM with authenticated encryption. Recovery codes are individually hashed with bcrypt.

• Password requirements: Minimum 12 characters with a blocklist of 55+ commonly breached passwords and pattern detection for repeating/sequential characters.
• Multi-factor authentication (MFA): Industry-standard TOTP (RFC 6238) compatible with Google Authenticator, Microsoft Authenticator, Authy, 1Password, and iPhone Passwords. 10 single-use recovery codes are provided as a backup.
• Passkeys (WebAuthn): Phishing-resistant, hardware-backed authentication for the strongest account protection.
• Account lockout: Automatic lockout after repeated failed login attempts to prevent brute-force attacks.

• Secure cookies: Session cookies use HttpOnly, Secure, and SameSite flags with the __Secure- prefix in production.
• Session management: You can view, manage, and revoke sessions from your account settings. New device logins trigger email alerts.
• OAuth app access: You can see which applications have access to your account and revoke access at any time.

• Content Security Policy: Nonce-based CSP with strict-dynamic prevents cross-site scripting (XSS) attacks. No unsafe-inline or unsafe-eval for scripts.
• CSRF protection: Origin validation on all state-changing requests prevents cross-site request forgery.
• Rate limiting: Automated rate limiting protects login, MFA verification, MFA setup, and MFA disable endpoints against brute-force attacks and credential stuffing.
• Security headers: HSTS, X-Frame-Options, Permissions-Policy, and other headers are enforced on every response.

• PII scrubbing: Personal information is automatically stripped from error reports and monitoring data.
• Minimal data exposure: All database queries use explicit column selection to prevent accidental data leaks.
• Account data export: You can export your personal data at any time from your account settings.
• Input sanitization: All user-submitted content is sanitized to prevent injection attacks.

EconChangers serves as the central identity provider for all EconChangers LLC properties. When you sign in to FlockTank, FlockWorker, or FlockList, your credentials stay with EconChangers — child applications never see your password. All properties operate under the econchangers.com domain, ensuring seamless sign-on without cross-site cookie issues.

• Single Sign-On: Sign in once to EconChangers and you are automatically signed in to FlockTank, FlockWorker, and FlockList — no repeated logins needed.
• Single Sign-Out: Signing out of any property signs you out of all EconChangers services simultaneously, with back-channel notifications ensuring immediate session termination.
• PKCE required: All OAuth flows use Proof Key for Code Exchange to prevent authorization code interception.
• Token rotation: Refresh tokens are automatically rotated on each use. Reuse of a revoked token invalidates the entire token family.
• Short-lived tokens: Access tokens expire after 1 hour. ID tokens expire after 1 hour. Refresh tokens expire after 30 days.
• Exact-match redirect URIs: No wildcard redirects are permitted, preventing open redirect attacks.