TRUST / SECURITY
What's actually
in place.
Omega Digital is a one-person operation launched in April 2026. This page documents the security controls that are verifiably in place, not aspirational claims.
01 Application security
- Password hashing
- argon2id with memory=19456, iterations=2, parallelism=1. Current OWASP recommendation. Dummy hash verified on unknown users to prevent timing oracle.
- Session management
- Sessions are 32-byte cryptographically random IDs stored in SQLite. Cookies: httpOnly, Secure in production, SameSite=Lax. 30-day expiry. Sessions purged on server startup.
- Input validation
- Zod schemas validate all API request bodies. SQL uses better-sqlite3 prepared statements, no string interpolation.
- Rate limiting
- Login endpoint: 5 attempts per 5 minutes per IP. Sliding-window, in-memory. Fails open on server restart (acceptable trade-off).
- CSRF
- API endpoints require Content-Type: application/json. Astro blocks cross-site form POST submissions by default. No custom CSRF token needed for JSON APIs.
- Dependency tracking
- npm audit run on each deployment. Known vulnerable packages are not shipped intentionally.
02 Transport and data
- TLS
- TLS 1.3 enforced via Traefik with securetls@file middleware. TLS 1.0 and 1.1 disabled. HSTS applied.
- Encryption at rest
- SQLite database file stored on the server. Full-disk encryption depends on the underlying VPS provider's configuration.
- Backups
- Database is a single SQLite file at $DB_PATH. Backup strategy is the customer's responsibility to configure; we do not run automatic managed backups at launch.
- Data minimisation
- We store: email, first name, last name, optional company, argon2id password hash. No payment card data is stored; no card processing is live.
03 Infrastructure
- Hosting
- Deployed on tier-1 partnered infrastructure via Docker + Traefik. Physical security, power redundancy, and network connectivity are provided by the datacenter operator.
- Network controls
- Traefik handles TLS termination and routing. Security response headers applied globally. Cloudflare sits in front for DDoS mitigation on the deploy domain.
- Access control
- Server access is SSH key only, no password login. Principle of least privilege applied. This is a one-person operation: no shared credentials.
04 Vulnerability disclosure
- Reporting
- Email [email protected] with a description and reproduction steps. We aim to acknowledge within one business day.
- Remediation commitment
- We commit to patching confirmed critical vulnerabilities within 7 days. We will not pursue legal action against good-faith researchers.
- Public disclosure
- We support coordinated disclosure. If you find something, give us a chance to fix it before publishing.
05 / Incident response
How we handle problems.
This is a one-person operation. There's no on-call rotation. When something breaks, the founder investigates and fixes it. No escalation maze, no ticket handoff, no 15-minute SLA before a human looks at it.
- Detection
- Status page monitoring. Uptime alerts when a service goes dark. Collecting data since April 2026.
- Response
- Notified directly. Investigation begins immediately during waking hours.
- Communication
- Incidents posted on the status page. Affected customers emailed once email infrastructure is live.
- Post-mortem
- Published on the status page for any outage that affects customer services.
Security contact
Vulnerability reports and security questions: [email protected]. We also publish a security.txt.