Security

A summary of how VentureBeast.Tech protects readers, contributors, and reader data — and how to disclose a vulnerability if you find one.

Transport & browser security

HTTPS everywhere with HSTS preload (max-age=63072000; includeSubDomains; preload).
Content Security Policy (CSP) with framed-ancestor lockdown, object-src none, and an active /api/csp-report endpoint for violation reporting.
Strict frame ancestry: X-Frame-Options: DENY and frame-ancestors 'none'.
Permissions Policy: camera, microphone, geolocation, and FLoC/Topics all disabled.
Cross-Origin-Opener-Policy: same-origin.

Application security

All article HTML is sanitized via an allowlist before render (lib/sanitize.ts); no <script>, inline event handlers, or arbitrary iframes are allowed.
Postgres row-level security (RLS) on every table; UPDATE policies pair USING with WITH CHECK to prevent column-level escalation.
Server actions parse all mutation inputs through zod schemas at the boundary before reaching the database.
Per-user rate limiting on comments and reactions; per-IP rate limiting on newsletter signup, page views, affiliate clicks, and CSP reports.
OAuth callbacks reject any redirect target that escapes the same-origin boundary.
Soft deletes (deleted_at) and an immutable audit log for sensitive mutations.

Anti-scraping & bot policy

Major AI training and answer-engine crawlers are explicitly allowed in /robots.txt with a 1-second crawl delay.
Hostile scrapers (Bytespider, PetalBot, AhrefsBot, SemrushBot, MJ12bot, DotBot) and tools with empty or commodity user-agents are blocked.
Image hotlink protection on the /_next/image endpoint.

Accessibility

We hold ourselves to WCAG 2.1 AA — see the accessibility statement for details.

Vulnerability disclosure

If you believe you have found a security vulnerability, please email security@venturebeast.tech with a description and reproduction steps. We respond within 72 hours and will coordinate a disclosure timeline with you.

Please do not test in ways that degrade service for other users (no DoS, no mass scanning, no social engineering of staff or readers). Machine-readable policy at /.well-known/security.txt.

Transport & browser security

HTTPS everywhere with HSTS preload (max-age=63072000; includeSubDomains; preload).

Content Security Policy (CSP) with framed-ancestor lockdown, object-src none, and an active /api/csp-report endpoint for violation reporting.

Strict frame ancestry: X-Frame-Options: DENY and frame-ancestors 'none'.

Permissions Policy: camera, microphone, geolocation, and FLoC/Topics all disabled.

Cross-Origin-Opener-Policy: same-origin.

Application security

All article HTML is sanitized via an allowlist before render (lib/sanitize.ts); no <script>, inline event handlers, or arbitrary iframes are allowed.

Postgres row-level security (RLS) on every table; UPDATE policies pair USING with WITH CHECK to prevent column-level escalation.

Server actions parse all mutation inputs through zod schemas at the boundary before reaching the database.

Per-user rate limiting on comments and reactions; per-IP rate limiting on newsletter signup, page views, affiliate clicks, and CSP reports.

OAuth callbacks reject any redirect target that escapes the same-origin boundary.

Soft deletes (deleted_at) and an immutable audit log for sensitive mutations.

Anti-scraping & bot policy

Major AI training and answer-engine crawlers are explicitly allowed in /robots.txt with a 1-second crawl delay.

Hostile scrapers (Bytespider, PetalBot, AhrefsBot, SemrushBot, MJ12bot, DotBot) and tools with empty or commodity user-agents are blocked.

Image hotlink protection on the /_next/image endpoint.

Vulnerability disclosure

Please do not test in ways that degrade service for other users (no DoS, no mass scanning, no social engineering of staff or readers). Machine-readable policy at /.well-known/security.txt.