Our Security Practices
- HTTPS everywhere — nexray.in is served exclusively over HTTPS with HSTS
- Cloudflare protection — DDoS protection, WAF, and CDN via Cloudflare
- Firebase Authentication — We use Google's Firebase for auth — no passwords stored by us
- No sensitive data — We store only your name, email, and learning progress
- Content Security Policy — CSP headers prevent XSS attacks
Responsible Disclosure
If you discover a security vulnerability on nexray.in, please:
- Email dev@nexray.in with a detailed description
- Include steps to reproduce the vulnerability
- Give us a reasonable time to fix it before public disclosure
- Do not exploit the vulnerability or access other users' data
Scope
In scope: nexray.in and all its subdomains. Out of scope: Third-party services we use (Firebase, Cloudflare) — report these to their respective security teams.
Security Headers
We implement the following security headers on all responses:
- Strict-Transport-Security (HSTS)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Content-Security-Policy
Bug Bounty
We do not currently operate a paid bug bounty program. Responsible reporters will receive acknowledgment and a credit on this page.