Security

Last updated: May 24, 2026

1. HTTPS everywhere

Every request to frontiervisionsmarketing.com is served over HTTPS. HSTS is enabled with a 2-year max-age, so browsers refuse to connect over plain HTTP after the first visit. Certificates are managed automatically by Fly.io.

2. Payments are handled by Stripe

We never see your card number. All payment data is collected by Stripe's hosted checkout, which is PCI DSS Level 1 certified. The only thing we receive from Stripe is a confirmation that the payment succeeded and a customer ID we can use to issue refunds.

3. Hosting and isolation

The app runs on Fly.io in isolated VMs (Fly Machines). Each request is processed in a hardened Linux container; there is no shared filesystem with other tenants. Secrets (API keys, database credentials) are injected as encrypted environment variables, never committed to source control.

4. Backups

The SQLite database is backed up weekly to encrypted off-site storage. Backups are encrypted at rest with AES-256. Retention is 90 days.

5. Rate limiting

All public API endpoints are rate-limited by IP address. Excess requests get a 429 response with a Retry-After header. The limits are calibrated to allow normal human use and block automated scraping.

6. Anti-spam protections

Forms (subscribe, demo request, onboarding) include hidden honeypot fields and timing checks. Bot submissions are dropped silently. Magic-link emails for SaaS login expire after 15 minutes and can only be used once.

7. No third-party tracking

We don't load Google Analytics, Facebook Pixel, Hotjar, or any other third-party tracker. The only analytics is a first-party pageview counter we built ourselves — see the Privacy Policy for details on what's collected.

8. Browser security headers

Every response includes:

Strict-Transport-Security — forces HTTPS for 2 years.
X-Content-Type-Options: nosniff — prevents MIME-sniffing attacks.
X-Frame-Options: SAMEORIGIN — blocks clickjacking via iframes from other sites.
Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage on outbound clicks.
Permissions-Policy — disables camera, microphone, and geolocation access by default.
Content-Security-Policy — restricts script and style sources to a small allowlist.

9. Reporting a vulnerability

If you find a security issue, please email security@frontiervisionsmarketing.com with the details. We respond within 24 hours, acknowledge confirmed issues within 72 hours, and credit reporters in the changelog with permission.

Please don't publicly disclose unpatched issues — give us a reasonable window (typically 30 days) to ship a fix.