The controls in place
Encryption in transit
All traffic to RankForge is served over HTTPS/TLS. The app runs behind a reverse proxy with TLS terminated at the edge, so pages, API calls, and report downloads travel encrypted.
Passwords are hashed, never stored
Account passwords are stored only as a strong cryptographic hash — we never keep the plaintext. Password complexity (length plus character-class rules) is enforced at signup.
Signed session tokens
Authentication uses signed JWTs with a configurable expiry, delivered in an HTTP-only cookie so browser scripts can't read them. The signing secret is validated to be long enough for HMAC-SHA256 before the app will even start.
Access is scoped per account
Every database query is scoped to the owning account, so one user can never read another's audits. Admin actions require an elevated role and are recorded to an audit log; suspended accounts are rejected before any handler runs.
Safe crawling
The crawler refuses to fetch localhost, private, and reserved IP ranges, so it can't be pointed at internal infrastructure. Report and file downloads are path-traversal protected. See the crawler policy for the full behaviour.
Abuse protection
A cross-origin (CSRF) guard rejects state-changing requests from foreign origins, and atomic rate limits — per IP, per user, and per domain — throttle brute-force and audit-abuse attempts.
No third-party tracking
We use only essential cookies for authentication and session state. No advertising pixels, no behavioural-analytics trackers, and we don't sell or trade your data.
Data minimisation & retention
Anonymous audits are deleted automatically after 24 hours. Registered audits stay until you delete them, and server logs are kept for at most 90 days.
Crawling other people's sites, responsibly
Because RankForge crawls websites, being a well-behaved bot is part of our security posture. Our crawler identifies itself, respects robots.txt, rate-limits itself, reads only public pages, and never logs in or submits forms. The full policy — including how a site owner can opt out — is documented separately.
Reporting a vulnerability
If you believe you've found a security vulnerability in RankForge, we want to hear about it before anyone else does. We welcome good-faith security research.
- check_circleEmail us privately. Send details to [email protected]. Include steps to reproduce and, if you can, a proof of concept. A machine-readable copy of this lives at /.well-known/security.txt.
- check_circleGive us time to fix it. Please don't publicly disclose the issue until we've had a reasonable chance to investigate and ship a fix. We'll acknowledge your report and keep you updated.
- check_circleStay in scope. Test only against your own account and your own sites. Don't access other users' data, degrade the service for others, or run automated scans that amount to a denial-of-service attempt.
- check_circleGood-faith safe harbour. We won't pursue action against researchers who follow these guidelines and act in good faith.
No system is perfectly secure, and we won't pretend otherwise. We apply the controls above and keep improving them, but no method of transmission or storage is 100% secure. If security requirements go beyond what's described here, reach out and we'll talk specifics.
Privacy Policy
What we collect, why, and your rights over it.
Crawler policy
How RankForgeBot behaves and how to opt out.
Terms of Service
The rules for using RankForge.