Security at LiveSlide.Pro

Workshop personalization works only if presenters and participants trust the service with their data. Here is what we do.

Authentication and access

• Email/password accounts use bcrypt with cost factor 12.
• Sign-in with Google uses standard OAuth 2.0 with state verification.
• Session cookies are HttpOnly, Secure (in production), and SameSite=Lax.
• Account lockout after 5 failed attempts; 15-minute cooldown.
• CSRF protection on every form (token + double-submit pattern).

Data in transit and at rest

• TLS 1.2+ on every connection.
• HSTS with preload directive in production.
• Database connections use TLS where supported by the host.
• Google OAuth refresh tokens stored in a separate, restricted-access table.

Application security

• Strict Content Security Policy with per-request nonces for inline scripts.
• X-Frame-Options: DENY (we do not embed in third-party iframes).
• Input validation at every boundary; prepared statements for every SQL query.
• HTML-escaping enforced by helper functions on all output.
• Honeypot field on public forms to catch bots.
• Per-IP rate limiting on submissions, login attempts, password resets, and contact forms.

Privacy by design

• Participants do not need an account or email.
• IP addresses are stored as SHA-256 hashes only, never raw.
• Default 30-day retention with automatic anonymization.
• Drive scope limited to drive.file — we only access decks our app creates.

Reporting a vulnerability

If you believe you have found a security issue, please email security@liveslide.pro. We will acknowledge within 48 hours and aim to resolve verified issues within 30 days. We do not pursue legal action against good-faith researchers.