Security at ProposalSync

ProposalSync is designed to keep the workflow small and the data surface limited. Passwords are hashed with Werkzeug, sessions require a deployment-specific secret key, and all production deployments should run behind HTTPS.

All state-changing forms use CSRF protection. Public proposal tracking and Stripe webhooks are intentionally exempted because they receive non-browser events and are separately rate-limited or signature-verified.

Stripe handles card data on hosted checkout pages. ProposalSync records payment status and proposal deposit metadata, but does not store card numbers.

Public proposal links use random share slugs. Treat them like private links: anyone with the URL can view the proposal. Agency branding removal does not change this access model.

Recommended production settings: strong SECRET_KEY, managed PostgreSQL, Stripe webhook secret, SendGrid key, HTTPS-only hosting, and scheduled digest execution in a single cron/worker process.

Report security issues to support@proposalsync.online with enough detail to reproduce the issue.