Skip to main content

Security

Intotes implements multiple layers of security to protect user data and funds.

Authentication​

JWT Tokens​

  • Access tokens: Short-lived (20 minutes), used for API authentication
  • Refresh tokens: Longer-lived (72 hours), used to obtain new access tokens
  • Both tokens are set as HTTP-only cookies, preventing JavaScript access and XSS token theft
  • Tokens are signed with a server-side secret key

OAuth 2.0​

Supported providers: Google, GitHub, VK, Yandex, Telegram. OAuth flow uses standard authorization code grant with state parameter for CSRF protection.

Request Security​

CORS (Cross-Origin Resource Sharing)​

  • Allowed origins configured per environment
  • Credentials (cookies) are included in cross-origin requests
  • Preflight requests handled automatically

Request Limits​

  • Maximum request body size: 1 MB
  • Content-Type validation enforced on POST/PUT/PATCH requests
  • Rate limiting per IP + endpoint (see Rate Limiting)

Security Headers​

All responses include standard security headers:

HeaderValuePurpose
X-Content-Type-OptionsnosniffPrevent MIME type sniffing
X-Frame-OptionsDENYPrevent clickjacking
X-XSS-Protection1; mode=blockEnable XSS filter
Referrer-Policystrict-origin-when-cross-originControl referrer information

Data Security​

Passwords​

  • Passwords are hashed using bcrypt before storage
  • Minimum password length enforced at registration
  • Password reset requires email verification

Sensitive Data​

  • Private keys for crypto wallets are encrypted at rest
  • OAuth tokens are not stored after exchange
  • User email is partially masked in referral displays

Network Security​

HTTPS​

All API communication must use HTTPS in production. HTTP requests are redirected to HTTPS.

Cloudflare​

The platform uses Cloudflare for:

  • DDoS protection
  • SSL/TLS termination
  • CDN for static assets (images in R2)
  • IP geolocation

Best Practices for API Consumers​

  1. Always use HTTPS β€” never send credentials over HTTP
  2. Store tokens securely β€” rely on HTTP-only cookies rather than localStorage
  3. Implement token refresh β€” handle 401 responses by refreshing the access token
  4. Validate responses β€” check HTTP status codes and error codes
  5. Use rate limit headers β€” respect X-RateLimit-Remaining and Retry-After