Security
Last Updated: May 13, 2026
Our Security Approach
We take the security of SpeakOX and the privacy of our users seriously. This page describes the technical and organizational measures we have in place, and how to responsibly report a vulnerability you discover.
Infrastructure Security
Encryption in Transit
All traffic is encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age and preload eligibility.
Data at Rest
The PostgreSQL database storing user accounts and content is hosted on an encrypted volume. Passwords are hashed using bcrypt with a work factor that meets current NIST recommendations. We never store passwords in plain text.
Content Security Policy
A strict Content Security Policy (CSP) is applied on every response, limiting which scripts, styles, and frames can load. This protects against cross-site scripting (XSS) and data injection attacks.
Rate Limiting
API and form submission endpoints are rate-limited per IP address to prevent brute-force attacks, credential stuffing, and denial-of-service attempts. Repeated violations trigger temporary blocks.
Input Sanitization
All user-supplied input is sanitized on the server side using established libraries (Bleach). HTML content from editors is parsed and cleaned to an allowlist of safe tags before storage and rendering.
CSRF Protection
All state-changing form submissions are protected with CSRF tokens (Flask-WTF). This prevents cross-site request forgery attacks.
Security Headers
Every HTTP response from SpeakOX includes the following security headers:
| Header | Value Summary |
|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
| X-Content-Type-Options | nosniff |
| X-Frame-Options | SAMEORIGIN |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | geolocation=(), microphone=(), camera=() |
| Content-Security-Policy | default-src 'self'; script-src 'self' [trusted CDNs]; object-src 'none'; … |
Account Security
- Passwords are hashed with bcrypt — they are never stored or transmitted in plain text.
- Login sessions use secure, HTTP-only cookies with SameSite protection.
- Session activity is monitored and suspicious sessions can be revoked by admins.
- Failed login attempts are rate-limited to slow credential stuffing attacks.
- Users may post anonymously — account creation is optional for most content.
File Upload Security
- Uploaded files are validated by extension, MIME type, and magic bytes — not just the filename.
- Files that fail MIME validation are rejected before being stored.
- Uploaded media is stored and served with restricted Content-Type headers to prevent execution.
- Maximum file size limits are enforced per category (images 10 MB, documents 20 MB, audio 50 MB, video 100 MB).
Responsible Disclosure
We welcome security researchers who discover vulnerabilities and report them responsibly. If you believe you have found a security issue in SpeakOX, please:
- Do not exploit the vulnerability or access user data beyond what is necessary to demonstrate it.
- Email your findings to security@speakox.com with a clear description, steps to reproduce, and the potential impact.
- Allow us a reasonable amount of time to investigate and remediate before public disclosure.
We will acknowledge receipt of your report within 2 business days and aim to remediate critical issues within 30 days. We do not currently offer a paid bug bounty, but we will publicly credit researchers who report valid, impactful vulnerabilities (if they consent).
Our machine-readable security contact is also available at /.well-known/security.txt.