Security

Application Security

Last reviewed: April 2026

Secure development lifecycle

Application development follows our internal Application Security and SDLC Policy. Every code change requires a pull request review by another engineer before merging to the main branch. Production environments are separated from staging and development; secrets and credentials are never reused across environments.

Dependency management

Dependency vulnerabilities are tracked via GitHub Dependabot on every pull request. Critical and high severity vulnerabilities are remediated according to the timelines in our incident response policy.

Static analysis

Static application security testing runs on every pull request via Semgrep Community Edition in GitHub Actions. Findings are triaged by the engineering lead and remediated according to severity.

Secrets management

Secrets are stored in platform-native vaults (Vercel, Railway, Supabase) with no plaintext credentials in source control. Secret access is logged by each provider. Pre-commit hooks block accidental secret commits.

OWASP Top 10 alignment

Our SDLC explicitly addresses the OWASP Top 10:2021 web application risks: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery (SSRF). Code review checklists reference each risk class.

Reporting a security issue

If you believe you have found a security vulnerability in any User Intuition application, please email security@userintuition.ai. Our coordinated vulnerability disclosure timeline and remediation SLAs are documented on the incident response page.

Web application security headers

The User Intuition marketing website enforces the following HTTP security headers in production:

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload (HSTS preloaded)
  • Content-Security-Policy: default-src self with explicit allowlists for analytics, scheduling, and integrations
  • X-Frame-Options: DENY (clickjacking protection)
  • X-Content-Type-Options: nosniff (MIME sniffing protection)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=() (denied by default)

← Back to Security & Trust