Security

Sensitive data fields are encrypted at the application layer before reaching the database. Neon Postgres provides encryption at rest (AES-256) and in transit (TLS 1.3). The application never stores plaintext secrets, API keys, or session tokens in the database.

• Database: Neon Postgres with enforced SSL connections
• ORM: Prisma 6.0 with parameterized queries (zero SQL injection surface)
• Auth tokens: NextAuth manages session encryption — never stored as plaintext

Every deployment is immutable and traceable. Git SHA provenance is injected at build time and displayed in the site footer, HTML comments, and /docs. Vercel maintains a complete deploy history with rollback capability.

• Git history: every commit signed and preserved
• Deploy log: Vercel maintains immutable build + deploy records
• Build provenance: SHA + timestamp embedded in every page via build-info.ts
• Database: Prisma schema tracks createdAt/updatedAt on all records

No passwords are stored. Authentication uses email verification (Resend) and GitHub OAuth. Every admin request is verified at three layers: middleware, layout, and API route.

• Layer 1: Next.js middleware checks session token on /admin/* and /api/admin/*
• Layer 2: Admin layout verifies user role (must be "admin")
• Layer 3: Every API route independently calls requireAdmin()
• Session: HTTP-only secure cookies with CSRF protection (NextAuth 5.0)
• SignIn callback: only existing admin users or first-time registrations permitted

The application runs on Vercel's Edge Network. No origin server is directly exposed. All traffic routes through Vercel's global CDN with automatic DDoS protection, rate limiting, and TLS termination.

• CDN: Vercel Edge Network (global, automatic failover)
• TLS: Automatic certificate provisioning and renewal
• DDoS: Vercel-managed protection at the edge
• No exposed ports, no SSH, no direct server access

All secrets are managed through environment variables — never committed to source control. The .env.local file is gitignored. Vercel encrypts environment variables at rest.

• Environment variables: DATABASE_URL, AUTH_SECRET, API keys — all in Vercel env config
• .gitignore: .env*, node_modules, .next — no secrets in repo
• CRON_SECRET: bearer token required for /api/cron/* endpoints
• NEXT_PUBLIC_* vars: only build metadata (version, SHA, timestamp) — never secrets

Neon Postgres runs as a serverless database with automatic connection pooling, SSL-only connections, and compute isolation. No direct database access is possible outside the application.

• Connection: SSL-only via Neon serverless driver
• Queries: all parameterized through Prisma — zero raw SQL
• Access: connection string restricted to Vercel deployment environment
• IP Allowlisting: Neon Pro — database restricted to Vercel outbound IPs only
• PITR: Point-in-time recovery enabled with 7-day retention (Neon Pro)
• Connection pooling: PgBouncer-mode via Neon pooler endpoint (port 6543)
• Backups: Neon automated point-in-time recovery
• Schema: Prisma migrations with version-controlled schema history

The site collects minimal data: admin session (email, role) and newsletter subscriber emails. No analytics, no tracking pixels, no third-party scripts beyond font loading.

• GDPR: no tracking, no cookies for visitors, explicit newsletter opt-in
• CCPA: no sale of personal information, no data broker relationships
• SOC 2: infrastructure providers (Vercel, Neon) maintain SOC 2 Type II compliance
• Data minimization: only essential data stored, no behavioral tracking

The Mini-Postmaster dispatches content to Facebook, Instagram, and X via their respective APIs. All platform tokens are stored as Vercel environment variables and read with .trim() to prevent whitespace injection.

• Meta (FB/IG): Long-lived page access token — 60-day expiry with manual rotation
• X/Twitter: OAuth 1.0a credentials — API key, API secret, access token, access secret
• All AI API keys (Anthropic, OpenAI, xAI): stored identically, never logged, never in responses
• Kill switch: SOCIAL_CRON_ENABLED env var can disable all social posting instantly
• Missing keys: any missing platform token causes graceful skip, not crash
• Cron security: social cron uses same CRON_SECRET bearer auth as publish cron