Security at GreenMetric
Protecting your data is fundamental to everything we build. Here is how we keep your information safe.
Security Practices
We follow industry-standard practices across every layer of the platform.
Encryption in Transit
All data is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS with preload to ensure browsers always connect securely.
Secure Authentication
Passwords are hashed with bcrypt. Auth tokens are stored in HttpOnly cookies, inaccessible to JavaScript. API keys are SHA-256 hashed and never stored in plaintext.
CSRF & XSS Protection
Every state-changing request is protected by CSRF tokens. A strict Content Security Policy, X-Frame-Options, and X-Content-Type-Options headers defend against cross-site attacks.
Privacy by Design
We only use essential cookies required for authentication. No tracking cookies, no ad pixels, no third-party analytics cookies. Session replays are disabled.
Infrastructure Security
Our API includes SSRF protection that validates URLs against private IP ranges and cloud metadata endpoints. Rate limiting prevents brute-force and abuse.
Token Lifecycle
Access tokens expire in 15 minutes. Refresh tokens are rotated on every use and revoked on logout or password reset. Verification tokens are single-use with short TTLs.
HTTP Security Headers
Every response from GreenMetric includes these security headers to protect against common web vulnerabilities.
Content-Security-PolicyRestricts script and resource loading to trusted originsStrict-Transport-SecurityForces HTTPS with 1-year max-age and preloadX-Frame-Options: DENYPrevents clickjacking by blocking all iframesX-Content-Type-Options: nosniffPrevents MIME-type sniffing attacksReferrer-PolicyControls referrer header to prevent information leakagePermissions-PolicyBlocks access to camera, microphone, and geolocationAPI Key Security
API keys provide secure, scoped access to the GreenMetric API for your integrations.
- Keys are SHA-256 hashed before storage — we never store your raw key
- Keys are shown once at creation and cannot be retrieved again
- Restrict keys by IP address, origin, and specific endpoints
- Revoke keys instantly from the dashboard
- Separate live and test key prefixes (gm_live_ / gm_test_)
- Per-organization rate limits and monthly quotas enforced automatically
Data Handling
We apply the principle of least exposure to all sensitive data.
| Data | Protection |
|---|---|
| Passwords | bcrypt hashed with 12 rounds; never logged or exposed in API responses |
| Auth tokens | Stored in HttpOnly, Secure, SameSite cookies; SHA-256 hashed in database |
| API keys | SHA-256 hashed before storage; raw key shown only once at creation |
| Verification tokens | SHA-256 hashed in database; time-limited (1 hour for password reset, 24 hours for email verification) |
| Error responses | Generic messages in production; no stack traces, internal paths, or implementation details exposed |
Have a Security Concern?
If you discover a vulnerability or have questions about our security practices, please reach out to us.