Are you sure?

This action cannot be undone.

Security Policy

Last updated: April 11, 2026

Overview

This document outlines the information security practices for this self-hosted instance of the Zubayr's Finance personal finance application. The security of financial data is a top priority.

Infrastructure Security

  • Application hosted on Railway with isolated container-based deployments
  • Network traffic proxied through Cloudflare with DDoS protection and WAF
  • All external connections encrypted with TLS 1.2 or higher
  • SSL certificates managed and auto-renewed via Let's Encrypt
  • Database and Redis instances are private and not publicly accessible

Data Encryption

  • In transit: All data transmitted over HTTPS using TLS 1.2+
  • At rest: Sensitive credentials (Plaid access tokens, API keys) are encrypted using Rails ActiveRecord Encryption with deterministic encryption for secure querying
  • Database: PostgreSQL instance uses encrypted storage volumes

Access Control

  • Session-based authentication with secure, HTTP-only cookies
  • Family-scoped data access ensures users can only access their own financial data
  • Administrative access to infrastructure requires multi-factor authentication
  • Secrets and credentials stored as environment variables, never in source code

Third-Party Integrations

  • Plaid: Bank credentials are never stored locally. Authentication is handled through Plaid's secure Link flow with tokenized access
  • Webhooks: Plaid webhook payloads are verified using JWT signature validation before processing
  • API keys and access tokens are rotatable and can be revoked at any time

Application Security

  • CSRF protection enabled on all form submissions
  • Strong parameter filtering on all controller inputs
  • Security headers enforced (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
  • Static security analysis performed using Brakeman
  • Dependencies monitored for known vulnerabilities

Incident Response

In the event of a suspected security breach:

  • All Plaid access tokens will be immediately revoked
  • Affected sessions will be invalidated
  • API keys will be rotated
  • A full review of access logs will be conducted

Data Retention & Disposal

Financial data is retained only as long as the associated account connection is active. Upon disconnection or account deletion, all associated data is permanently removed from the database. Plaid access tokens are revoked upon disconnection.

Contact

For security concerns or to report a vulnerability, contact the application administrator.