Every 38Hub account is protected by a multi-layered security engine — a Web Application Firewall, brute-force lockout, two-factor authentication, audit logging, and strict data isolation. Here is exactly how it works.
Multiple lines of defense between an attacker and your account.
Sign in with Google or email. New accounts go through an admin approval gate before they can access the app — bots and drive-by signups are filtered out.
Enroll any authenticator app — Google Authenticator, Authy, 1Password — and 38Hub will require a 6-digit code at every login. Managed by Supabase's native MFA.
After a configurable number of failed login attempts in a short window, the account is temporarily locked. Stops password spraying and credential-stuffing cold.
See every device currently signed in to your account from Settings → Security. Sign out all other sessions with one click. Your current session is always marked.
Authentication and AI endpoints are rate-limited per user and per IP via Upstash Redis. Brute force and scraping attacks hit a wall before they can do damage.
For users who want it, we can enforce one active device per account. Signing in somewhere new automatically logs out the previous device.
Your content, your API keys, and your account data — all isolated and encrypted.
TLS 1.3 on every request, with HTTP Strict Transport Security (HSTS) set to two years and submitted for preloading in browsers.
PostgreSQL storage is encrypted at rest via Supabase. Ideas, drafts, cooked content, and metadata all sit behind provider-managed encryption.
If you bring your own AI provider keys, we encrypt them with AES-256 before writing to the database. We never return raw keys to the browser — only masked previews.
PostgreSQL RLS policies force every read and write to be scoped by user_id. Even if a query tried to reach across users, the database would refuse it.
An edge-layer WAF inspects every request before it touches the application.
Blocks requests matching any of these patterns
Runs at the edge so bad traffic never reaches the app
The WAF isconfigurable from the admin console— platform operators can toggle it, add custom blocked user-agents, and tune rules without a deploy.
Every sensitive event is logged. Nothing happens in the dark.
Login success and failure, OAuth sign-ins, account lockouts, password reset requests, MFA enrollment and challenges, and sign-out-all events are all recorded with user, IP, and timestamp.
Pricing changes, feature flag flips, user impersonation sessions, and lockout unlocks are all written to the audit log. Every admin action is reviewable.
The admin Security dashboard shows failed logins in the last 24 hours, active lockouts, 2FA adoption rate, and a filterable timeline of every authentication event.
HTTP security headers on every response — defense in depth against XSS, clickjacking, and content-type attacks.
Content-Security-PolicyRestrictive policy — only Stripe, Google OAuth, Supabase, approved AI providers (Anthropic, OpenAI, Google, OpenRouter), and YouTube CDNs can be contacted. Inline script injection is blocked.
Strict-Transport-Securitymax-age=63072000 with includeSubDomains and preload. Browsers refuse to connect over plain HTTP for two years — HSTS preload-ready.
X-Frame-Options: DENY38Hub cannot be embedded in an iframe on any other domain. Blocks clickjacking attacks outright.
Permissions-Policycamera=(), geolocation=(), payment=() are fully disabled. microphone=(self) is allowed only for voice-note capture.
Referrer-Policystrict-origin-when-cross-origin — outbound navigation only leaks the origin, never the full URL.
X-Content-Type-Options: nosniffBrowsers honor the Content-Type we send instead of guessing. Blocks MIME-confusion attacks.
Enterprise-grade building blocks, never rolled ourselves.
Managed PostgreSQL with point-in-time recovery, encrypted storage, and Row-Level Security enforced at the database layer — not the app layer.
Requests hit an edge proxy that runs the WAF, injects security headers, and enforces device limits before the app code runs.
The Supabase service role key, Stripe secret, and AI provider keys never reach the browser. All privileged operations happen server-side behind authentication.
We are a small, fast-moving team. Here is where we stand and where we are heading.
Export your data any time. Delete your account and we delete your rows. Data Processing Agreements available on request.
We collect the minimum data needed to run the product, default to the most private settings, and never sell or share your content with third parties.
Every third-party service that touches your data is listed on our public sub-processors page. Changes are published before they take effect.
We are aligning our controls and evidence collection with SOC 2 Type II. We will publish the audit report here when it is complete.
No. We route AI requests to Anthropic, OpenAI, Google, and OpenRouter through their zero-retention / no-training endpoints where offered, and we do not log prompt or completion content on our side beyond your active session.
Account lockout will stop credential-stuffing attempts after a few failed logins. If you have 2FA enabled, the attacker cannot get in even with the correct password — that is why we strongly recommend enabling 2FA from Settings → Security.
Yes. If you choose to bring your own Anthropic, OpenAI, Google, or OpenRouter key, it is AES-256 encrypted at rest using a key that is never committed to the codebase. The raw key is never returned to the browser — only a masked preview.
No. Row-Level Security enforces user isolation at the database level. Admin impersonation is a separate, audited flow that requires explicit user consent and is logged to the audit trail — so you can see if it ever happens on your account.
Send a report to our contact form. We take all security reports seriously, acknowledge within 48 hours, and do not threaten or pursue researchers who follow responsible disclosure.
We appreciate responsible disclosure and respond to every report. Send us the details and we will get back to you within 48 hours.
Report a VulnerabilityAll reports are triaged within 48 hours.
Serious security baked into every layer — so you can focus on making great content.
Lifetime founding-member sale on now· Set up in under 10 minutes