Security
Authentication
Section titled “Authentication”- Secure sign-in via Apple, Google or email/password.
- Passwords are managed by Firebase Authentication and are never stored in plain text.
- Apple and Google sign-in use standard OAuth 2.0 protocols.
Data in transit
Section titled “Data in transit”All communications between the app, the web dashboard and the servers are encrypted with HTTPS/TLS. No data is transmitted in the clear.
Data at rest
Section titled “Data at rest”Your cloud data is stored on Google Cloud (Firebase) infrastructure, hosted in the European Union. Google Cloud applies encryption at rest for all stored data.
Shared reports
Section titled “Shared reports”- Shared reports are protected by a password you set.
- Passwords are verified server-side (SHA-256 hash comparison). The plain-text password is never stored.
- Viewing links use signed HMAC tokens with a limited validity period (1 hour).
- Brute-force protection blocks access after 5 incorrect attempts for 15 minutes.
Security headers
Section titled “Security headers”The web dashboard and report viewer apply HTTP security headers:
- X-Frame-Options: DENY — Prevents embedding in unauthorized iframes.
- X-Content-Type-Options: nosniff — Prevents incorrect file type interpretation.
- Referrer-Policy: strict-origin-when-cross-origin — Limits information shared during navigation.
Report a security issue
Section titled “Report a security issue”If you discover a security vulnerability, contact us at contact@photoreport.app. We will treat your report as a priority.