Transport
All client traffic is HTTPS (Let's Encrypt, HTTP/2, HSTS). OAuth flows use signed JWT state nonces and verify the user identity on callback to prevent CSRF.
At rest
- Passwords: bcrypt cost 12.
- OAuth refresh tokens (YouTube, Twitch, Kick, Restream, Slack, Zoom): AES-256-GCM with a 32-byte master key.
- Webhook signing secrets: AES-256-GCM, shown to the operator once.
- Database storage encrypted by HeliosDB.
Auth surface
- JWT (HS256) sessions in HttpOnly Secure SameSite=Lax cookies, 7-day expiry.
- Email verification required before login.
- Password reset uses bcrypt-hashed single-use 1-hour tokens.
Audit + traceability
Significant actions write to an append-only audit log (bv_audit_events) including actor, target, and timestamp. Available to the account owner via/account.
Webhook deliveries
Outbound webhooks include an HMAC-SHA256 signature in X-BigVoice-Signature over ${ts}.${body}. The timestamp is enforced ±5min to prevent replay; clients should verify both.
Reporting issues
Email security@foor.email (or contact@foor.email while the dedicated mailbox is in setup). PGP key on request. We aim to acknowledge within 24h.
Last updated · 2026-04-17