shieldSecurity & Trust

How we protect your account and your data

RankForge handles two sensitive things: your account, and the crawl data from the sites you audit. This page describes the controls actually in place today — no vague badges, no claims we can't back — and how to report a security issue if you find one.

The controls in place

lock

Encryption in transit

All traffic to RankForge is served over HTTPS/TLS. The app runs behind a reverse proxy with TLS terminated at the edge, so pages, API calls, and report downloads travel encrypted.

password

Passwords are hashed, never stored

Account passwords are stored only as a strong cryptographic hash — we never keep the plaintext. Password complexity (length plus character-class rules) is enforced at signup.

key

Signed session tokens

Authentication uses signed JWTs with a configurable expiry, delivered in an HTTP-only cookie so browser scripts can't read them. The signing secret is validated to be long enough for HMAC-SHA256 before the app will even start.

shield_person

Access is scoped per account

Every database query is scoped to the owning account, so one user can never read another's audits. Admin actions require an elevated role and are recorded to an audit log; suspended accounts are rejected before any handler runs.

block

Safe crawling

The crawler refuses to fetch localhost, private, and reserved IP ranges, so it can't be pointed at internal infrastructure. Report and file downloads are path-traversal protected. See the crawler policy for the full behaviour.

security

Abuse protection

A cross-origin (CSRF) guard rejects state-changing requests from foreign origins, and atomic rate limits — per IP, per user, and per domain — throttle brute-force and audit-abuse attempts.

visibility_off

No third-party tracking

We use only essential cookies for authentication and session state. No advertising pixels, no behavioural-analytics trackers, and we don't sell or trade your data.

auto_delete

Data minimisation & retention

Anonymous audits are deleted automatically after 24 hours. Registered audits stay until you delete them, and server logs are kept for at most 90 days.

Crawling other people's sites, responsibly

Because RankForge crawls websites, being a well-behaved bot is part of our security posture. Our crawler identifies itself, respects robots.txt, rate-limits itself, reads only public pages, and never logs in or submits forms. The full policy — including how a site owner can opt out — is documented separately.

Read the RankForgeBot crawler policyarrow_forward

Reporting a vulnerability

If you believe you've found a security vulnerability in RankForge, we want to hear about it before anyone else does. We welcome good-faith security research.

  • check_circleEmail us privately. Send details to [email protected]. Include steps to reproduce and, if you can, a proof of concept. A machine-readable copy of this lives at /.well-known/security.txt.
  • check_circleGive us time to fix it. Please don't publicly disclose the issue until we've had a reasonable chance to investigate and ship a fix. We'll acknowledge your report and keep you updated.
  • check_circleStay in scope. Test only against your own account and your own sites. Don't access other users' data, degrade the service for others, or run automated scans that amount to a denial-of-service attempt.
  • check_circleGood-faith safe harbour. We won't pursue action against researchers who follow these guidelines and act in good faith.
info

No system is perfectly secure, and we won't pretend otherwise. We apply the controls above and keep improving them, but no method of transmission or storage is 100% secure. If security requirements go beyond what's described here, reach out and we'll talk specifics.

Privacy Policy

What we collect, why, and your rights over it.

Crawler policy

How RankForgeBot behaves and how to opt out.

Terms of Service

The rules for using RankForge.