Security
Security at EasyAds
Last updated: 25 March 2026
Found a vulnerability?
If you discover a security issue, please report it responsibly to us before disclosing it publicly. We will acknowledge your report within 2 business days and keep you informed of our progress.
Report a vulnerability →Our Security Practices
Security is built into EasyAds at the infrastructure, application, and data layers. The following measures are in place:
- Passwords are hashed with bcrypt (cost factor 12) - plaintext passwords are never stored or logged
- Session tokens are stored in httpOnly, Secure, SameSite=Lax cookies - not accessible to JavaScript
- Google OAuth is supported as an alternative to password login
- Rate limiting is applied to registration and login endpoints
Connected Account Security
- Meta OAuth state is HMAC-SHA256 signed and bound to the authenticated user, preventing CSRF attacks on the connect flow
- Meta access tokens are encrypted at rest using AES-256-GCM before database storage
- Token expiry is tracked and displayed in account settings
- Tokens are never logged or included in API responses
- API keys are stored as SHA-256 hashes - the raw key is shown only once at creation and cannot be recovered
- Key creation and revocation require owner or admin role
- Each workspace is limited to 5 active keys
- lastUsedAt timestamps are tracked for each key
- All authenticated endpoints verify workspace membership on every request
- Uploaded files (brand assets, logos) require authentication and workspace membership to access - they are not publicly retrievable
- Admin-only features require an explicit role check
- All connections use TLS 1.2 or higher
- HTTP Strict Transport Security (HSTS) is set in production
- Security headers are applied to all responses: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
- Stripe webhook signatures are verified on every event using the Stripe SDK
- Duplicate event delivery is detected and skipped to prevent double-processing
- Card numbers and payment credentials are never stored by EasyAds - Stripe handles all payment data
- File type is validated using both MIME type declaration and magic byte inspection (for images)
- File extensions are derived from the validated MIME type, not the client-supplied filename
- Maximum file sizes are enforced server-side (10 MB images, 200 MB video)
- Upload directories are isolated per workspace
- Files are deleted when the workspace is deleted
Responsible Disclosure Policy
We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in EasyAds, please:
- Email your report to help@goeasyads.com with the subject line "Security Vulnerability Report"
- Include a clear description of the vulnerability, steps to reproduce, and the potential impact
- Allow us reasonable time to investigate and fix the issue before public disclosure (we aim for 30 days)
- Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
- Do not conduct denial-of-service attacks, social engineering, or physical security tests
What to expect from us:
- Acknowledgement within 2 business days
- An initial assessment and severity classification within 7 days
- Regular updates as we work to resolve the issue
- Credit in our security acknowledgements (if you wish to be named)
- We do not currently offer a bug bounty programme, but we deeply appreciate the security community's contributions
Out of Scope
The following are out of scope for vulnerability reports:
- Denial-of-service attacks
- Social engineering of staff or users
- Physical attacks against our infrastructure
- Issues in third-party services we use (Stripe, Meta, Google, Anthropic) - please report those to the respective vendors
- Clickjacking on pages with no sensitive actions
- Missing rate limiting on endpoints with no security impact
- Reports generated purely by automated scanners without manual validation
Sub-processor Security
We work with carefully selected sub-processors that maintain their own security certifications and practices. See our Privacy Policy for the full sub-processor list.
Contact
For security matters: help@goeasyads.com
For general privacy matters, see our Privacy Policy.