Platform Security
SECURITY.
Last updated: June 2025
The short version
Epicly is browser-only, collects almost no personal data, encrypts everything in transit, and was built with security as a first principle — not an afterthought. No app means no device permissions. No accounts for players means no data to steal.
Architecture Security
No app. No permissions.
Epicly runs entirely in the browser. No app installation means no camera, microphone, location or contact permissions are ever requested from player devices.
Browser sandbox
All player interaction is sandboxed within the browser. Epicly cannot access the file system, other apps, device sensors or any data outside the browser session.
No player accounts
Players have no accounts to compromise. There are no passwords, no emails, no stored personal data on players. A data breach cannot expose what was never collected.
Data In Transit
- All HTTP traffic served over HTTPS (TLS 1.3)
- All WebSocket connections over WSS (encrypted)
- HSTS headers enforced on all endpoints
- CORS headers restrict cross-origin requests
Authentication & Access
- Passwords hashed with bcrypt (cost factor 12)
- Authentication via signed JWT tokens (RS256)
- Tokens expire after 30 days
- Admin endpoints protected by separate admin key
- No plain-text passwords ever stored or logged
- Password reset via time-limited secure tokens (1 hour expiry)
Infrastructure
- Server hosted on Railway (SOC 2 compliant infrastructure)
- Frontend hosted on Netlify (enterprise-grade CDN)
- PostgreSQL database with SSL-only connections
- Environment variables for all secrets — never in source code
- Automatic crash recovery with process-level error handling
- Database connection pooling with timeout protection
Input Validation & XSS Prevention
- All user-supplied content escaped before display
- Parameterised database queries throughout — no SQL injection risk
- Player names truncated to 30 characters maximum
- WebSocket messages validated before processing
- No innerHTML with user data — textContent used throughout
Game Session Security
- Room codes are randomly generated and short-lived
- Rooms cleaned up automatically after game completion
- All game state held in server memory — never exposed to clients
- Anti-cheat: answers verified server-side, not client-side
- Host role verified before any game control message is processed
AI Usage
- AI used only for question generation at game start
- No player data is ever sent to AI providers
- Anthropic API called server-side only — never from player devices
- API keys stored as environment variables — never in client code
Responsible Disclosure
If you discover a security vulnerability in Epicly, please report it responsibly. We take all security reports seriously and will respond promptly.
Email: security@epicly.live
Please do not publicly disclose vulnerabilities before giving us reasonable time to address them.