Major Security Upgrades Across the Platform
Security isn't a feature — it's a foundation. Today we're rolling out significant authentication hardening and launching a dedicated Security Practices page so you can see exactly how we protect your data.
What's New
- Password Reset Flow: Secure email-based password reset with time-limited tokens and rate limiting. Tokens expire after 1 hour and are single-use.
- Login Rate Limiting: 10 attempts per IP address and 5 attempts per email address within any 15-minute window. Brute-force attacks are automatically blocked.
- CSRF Protection: All login and registration forms now include CSRF tokens, preventing cross-site request forgery attacks.
- Session Timeouts: 24-hour absolute session timeout plus 2-hour idle timeout. Sessions are automatically invalidated to prevent unauthorized access.
- Input Validation: Centralized input validator sanitizes and validates all user input across every API endpoint.
- Error Handling: Production-grade error handler that logs details for debugging while showing safe messages to users — no stack traces leaked.
- CORS Headers: Properly configured Cross-Origin Resource Sharing for secure API access from authorized domains only.
- API Health Check: New
/api/health.phpendpoint for monitoring platform status and uptime.
New Security Infrastructure
Two new database tables power these features: alfred_password_resets tracks reset tokens with expiry, and alfred_login_attempts records failed login attempts for rate limiting. Both include automatic cleanup of expired records.
We've also added performance headers including gzip compression, browser caching, and security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection) via .htaccess rules.
Read more about our security practices: Security at Alfred AI →