Security Policy
Last updated: May 2026 · XRPLAnalytics by StackStats Apps LLC
1. Infrastructure
XRPLAnalytics is built on a security-first infrastructure stack:
- Hosted on Cloudflare Pages and Workers — globally distributed, zero-trust edge computing.
- Cloudflare Web Application Firewall (WAF) — blocks known attack patterns, SQL injection, XSS, and malicious bots.
- DDoS protection — Cloudflare's network-layer and application-layer DDoS mitigation is always active.
- Global CDN edge network — content served from the nearest edge node; no origin servers directly exposed to the public internet.
2. Data Encryption
- HTTPS/TLS 1.3 is enforced on all endpoints. Plain HTTP connections are automatically redirected.
- Passwords are hashed using PBKDF2 with SHA-256 and 100,000 iterations before storage. Plaintext passwords are never written to disk or logs.
- Session tokens are JWT (HMAC-SHA256) with a 30-day expiry. Tokens are invalidated on logout and password change.
3. API Security
- Per-user rate limiting is enforced at the edge to prevent abuse and ensure fair access.
- All authenticated API requests require a Bearer token in the Authorization header.
- No credentials, API keys, or secrets are ever stored in plaintext. All secrets are stored encrypted at rest in environment variables, not in source code.
4. No Sensitive Storage
We are designed from the ground up to handle zero sensitive financial data:
- We never store private keys, seed phrases, mnemonic phrases, or wallet credentials of any kind.
- All on-chain data we display is sourced from the public XRP Ledger — it is inherently public information.
- Account data is strictly limited to your email address and a hashed (never plaintext) password.
5. Responsible Disclosure
We take security vulnerabilities seriously and appreciate responsible disclosure from the community.
Found a vulnerability? Please email [email protected] with a detailed description, steps to reproduce, and potential impact. We respond to all security reports within 48 hours and aim to remediate critical issues within 7 days.
Please do not publicly disclose vulnerabilities before we have had a chance to address them. We do not currently offer a bug bounty program, but we will acknowledge responsible reporters in our changelog.
6. Incident Response
In the event of a security breach that affects user data, we commit to:
- Notifying all affected users via email within 72 hours of confirmed breach discovery.
- Publishing a transparent incident report describing what happened, what data was affected, and what steps were taken.
- Cooperating with applicable regulatory authorities as required by law.
7. Contact
Security issues: [email protected]
General support: [email protected]