ForumRank security
Access is scoped. Changes are reviewable.
ForumRank is designed to keep customer workspaces isolated, provider credentials protected, and website changes under explicit human control.
Account and workspace isolation
Authentication is handled through Supabase Auth. Database tables use row-level security, and server-side repository methods bind reads and writes to the authenticated user and project. Paid state is written by trusted server paths and Stripe webhooks, not by browser clients.
- State-changing browser requests require same-origin checks and rate limits.
- Reports and exports are ownership-checked before data is returned.
- Public reports use unguessable share tokens rather than public project identifiers.
Provider and website safety
Provider secrets stay server-side. Search Console and HubSpot refresh tokens are encrypted before storage. Website fetches and external URLs pass SSRF and protocol checks. ForumRank creates reviewable draft pull requests, but does not merge or deploy them.
- Only the read-only Search Console scope is requested for measurement.
- HubSpot access is limited to contacts read/write and deals read for evidence, lead notes, and outcome measurement.
- GitHub installations are repository-scoped; buyer tools require Contents and Pull requests write access but never request workflow access.
- Webhook signatures, queue signatures, origin checks, and plan and quota checks are enforced at trust boundaries.
- Snapshots use bounded excerpts and retention metadata instead of retaining raw page content indefinitely.
Data lifecycle and subprocessors
The legal page describes the categories of data processed and current infrastructure providers. Account export and deletion paths are available from settings. Customer-identifiable outcome records are kept separate from any future aggregate benchmark.
- Supabase provides the database and authentication layer.
- Stripe provides payment processing and billing portal services.
- Vercel, OpenAI, Resend, and Sentry may process data required for hosting, scan generation, email, and reliability monitoring.
Disclosure
Report suspected security issues privately to the support email listed on the legal page. Include the affected route, reproduction steps, impact, and a safe contact address. Do not access another customer's data or publish a proof of concept before ForumRank has had a reasonable opportunity to investigate.