Security Architecture

Built secure. Not bolted on after.

Every security measure is in place before your first API call. You inherit enterprise-grade protection without writing security code.

bcrypt · 12 rounds
Rate limiting · 3 layers
HMAC signing

Security Layers

Defense in depth. Multiple overlapping protections ensure that if one layer fails, others remain intact.

bcrypt Hashing

Never store secrets in plaintext

  • Passwords hashed with bcrypt at 12 rounds (industry standard)
  • Verification codes hashed with bcrypt at 10 rounds
  • TOTP secrets encrypted at rest with AES-256
  • All hashes use unique salts (bcrypt automatic)
  • Rainbow tables and precomputed attacks are ineffective

Rate Limiting

Distributed protection across all layers

  • Per-email: 3 reset requests per hour
  • Per-IP: 10 reset requests per hour
  • Per-connection: 100 requests per hour
  • Sliding window algorithm (no reset edge cases)
  • Backed by Upstash Redis (sub-millisecond latency)
  • Works across serverless instances globally

Enumeration Protection

Prevent user database probing

  • Identical responses for existing/non-existing emails
  • Timing-safe comparisons (constant-time execution)
  • Dummy bcrypt operations when user doesn't exist
  • Response times identical within 5ms variance
  • Attackers can't determine if email is registered

Brute Force Protection

Account lockout prevents guessing attacks

  • 5 failed verification attempts = permanent session lock
  • 6-digit codes = 1 million combinations
  • 5 attempts = 0.0005% chance of guessing correctly
  • Locked sessions cannot be reused (one-time tokens)
  • No way to brute force codes before lockout triggers

CSRF Protection

Prevent cross-site request forgery

  • CSRF tokens required on all mutations
  • Tokens rotate on every request
  • SameSite=None; Secure cookies (cross-domain safe)
  • Origin header validation
  • Double-submit cookie pattern

Webhook Signing

Verify requests are genuinely from ResetKit

  • HMAC-SHA256 signatures on all webhook requests
  • Signature in X-ResetKit-Signature header
  • Timestamp included (prevents replay attacks)
  • Secret key unique per connection
  • Verify signature before processing webhooks

Infrastructure Security

We use battle-tested infrastructure providers with SOC 2 compliance and proven security records.

ComponentTechnologySecurity Measures
DatabaseMongoDB AtlasEncrypted at rest (AES-256), encrypted in transit (TLS 1.2+), VPC peering, IP whitelisting
Cache & Rate LimitingUpstash RedisTLS encryption, authentication required, ephemeral data (TTL auto-cleanup)
Email DeliveryResendDKIM signing, SPF records, dedicated IPs, bounce handling
API HostingVercel Edge FunctionsDDoS protection, rate limiting, geographic distribution, automatic HTTPS
MonitoringCustom loggingAudit trails for all auth events, PII scrubbing, 90-day retention

Token & Session Management

Short-lived tokens and one-time use patterns minimize attack windows.

Password Reset Sessions

  • • 15-minute expiration from session creation
  • • Locked permanently after 5 failed verification attempts
  • • One-time use (cannot be reused after successful reset)
  • • Session ID is 64-character hex (256 bits of entropy)

2FA Codes

  • • 5-minute expiration (shorter window than reset)
  • • 6 digits = 1 million combinations
  • • Locked after 5 failed attempts = 0.0005% success rate
  • • Codes bcrypt-hashed (10 rounds) before storage

Magic Links

  • • 30-minute expiration for email verification
  • • 32-character hex tokens (128 bits of entropy)
  • • One-time use with consumption tracking
  • • MongoDB TTL index auto-deletes expired tokens

Compliance & Standards

We adhere to industry standards and actively pursue certifications.

GDPR

Compliant

Right to access, rectification, erasure, portability. Data processing agreements available.

CCPA

Compliant

California consumer privacy rights supported. Do-not-sell honored.

SOC 2 Type II

In progress

Currently undergoing audit. Expected completion Q2 2026.

OWASP Top 10

Addressed

All OWASP Top 10 vulnerabilities mitigated in design and implementation.

Responsible Disclosure

We take security seriously. If you discover a vulnerability, please report it responsibly:

  • Email security@resetkit.dev with details of the vulnerability
  • Allow us 90 days to investigate and patch before public disclosure
  • Do not exploit the vulnerability beyond proof-of-concept testing
  • We'll acknowledge your report within 48 hours and provide updates
Report a vulnerability

Last security audit: January 2026 · Next scheduled: Q2 2026