Security Practices

Overview

MileIntel handles sensitive travel and financial data — loyalty credentials, booking details, and payment information. Here's how we protect it.

Encryption

• In transit — all connections use TLS 1.

1. Every request between your browser, the API, and our servers is encrypted. HSTS headers enforce HTTPS on all endpoints.

• At rest — database fields containing credentials, API keys, and payment references are encrypted using AES-256. Backups are encrypted before storage.

Authentication

• Google OAuth — no passwords stored on MileIntel servers. Authentication is delegated entirely to Google's identity infrastructure.
• Session tokens — signed JWTs with 30-day expiration. Tokens are stored in secure, HTTP-only cookies (web) or secure storage (extension/PWA).
• API keys — hashed before storage. The plaintext key is shown once at creation and never stored.

Infrastructure

• Hosting — dedicated server (not shared hosting) with firewall rules limiting access to application ports only.
• Reverse proxy — Caddy with automatic TLS certificate management via Let's Encrypt.
• Database — PostgreSQL with connection-level authentication and network isolation.
• Content Security Policy — nonce-based CSP preventing XSS and injection attacks.

Access Controls

• Developer tools are gated behind an isDeveloper flag — no accidental admin access.
• Webhook endpoints validate signatures (Stripe) and secrets (n8n) before processing.
• All user data queries are scoped by authenticated user ID — no cross-account data leakage.

Tips

1. Enable push notifications for security events. MileIntel will alert you if your account is accessed from a new device.