Security

How Shipset protects your account and what to do if you find a vulnerability.

Last updated · 13 May 2026

Account protection

Argon2id password hashing with OWASP-recommended 2024 parameters (19 MiB memory, 2 iterations).
Two-factor authentication (TOTP) — available to every user under Settings · Security. We support 1Password, Google Authenticator, Authy, Bitwarden, and any other RFC 6238 client.
10 single-use recovery codes issued at 2FA enrolment for backup access when you lose your authenticator.
Cloudflare Turnstile guards signup, login, and password-reset against automated abuse.
Sign out everywhere button immediately revokes every active session on every device.
Recent security activity log — every sign-in, password change, and 2FA toggle is recorded with a hashed IP so you can spot unfamiliar access from your own settings page.

Transport and storage

TLS 1.3 only — HTTP requests are redirected, HSTS is enforced with a two-year max-age.
Database hosted in the EU; backups encrypted at rest. No direct DB access from the browser — all queries go through server-side handlers we control.
Two-factor secrets and recovery codes are AES-256-GCM encrypted at rest with a key derived from a dedicated application secret.
Personal data scrubbed from telemetry before forwarding to Sentry. We log IP hashes (SHA-256, truncated) — never raw addresses.

Responsible disclosure

Found a vulnerability? Please email julio@shipset.dev with as much detail as you can. We try to acknowledge within 48 hours.

Please do not publicly disclose the issue until we have had a reasonable window to fix it — typically 30 days for non-critical, 7 days for actively-exploited issues. We will credit you in the changelog if you would like.

Out of scope for the disclosure programme: clickjacking on pages with no sensitive actions, rate-limit findings that require gigabit traffic, social-engineering staff, and anything you can only achieve with physical access to a victim's device.

Status

Real-time service status will be available at status.shipset.dev once the platform exits pre-launch.

Account protection

Argon2id password hashing with OWASP-recommended 2024 parameters (19 MiB memory, 2 iterations).

Two-factor authentication (TOTP) — available to every user under Settings · Security. We support 1Password, Google Authenticator, Authy, Bitwarden, and any other RFC 6238 client.

10 single-use recovery codes issued at 2FA enrolment for backup access when you lose your authenticator.

Cloudflare Turnstile guards signup, login, and password-reset against automated abuse.

Sign out everywhere button immediately revokes every active session on every device.

Recent security activity log — every sign-in, password change, and 2FA toggle is recorded with a hashed IP so you can spot unfamiliar access from your own settings page.

Transport and storage

TLS 1.3 only — HTTP requests are redirected, HSTS is enforced with a two-year max-age.

Database hosted in the EU; backups encrypted at rest. No direct DB access from the browser — all queries go through server-side handlers we control.

Two-factor secrets and recovery codes are AES-256-GCM encrypted at rest with a key derived from a dedicated application secret.

Personal data scrubbed from telemetry before forwarding to Sentry. We log IP hashes (SHA-256, truncated) — never raw addresses.

Responsible disclosure

Found a vulnerability? Please email julio@shipset.dev with as much detail as you can. We try to acknowledge within 48 hours.