Security & Privacy

What it does: Firebase Authentication verifies user identity using industry-standard OAuth tokens.

Why it matters: Ensures only verified users can access the service and prevents unauthorized API calls.

Implementation: Email verification required before processing files. Each API request validates the Firebase ID token server-side.

Protection against: Unauthorized access, account takeover, API abuse

What it does: Limits requests per IP address across all endpoints.

• 50 conversions per hour
• 10 account operations per hour
• 10 checkout attempts per hour
• 200 requests per hour globally

Why it matters: Prevents denial-of-service attacks and automated abuse.

Protection against: DDoS attacks, brute force attempts, resource exhaustion

What it does: Multi-layer validation of uploaded files.

• Browser-Side Security: Selected files remain in your browser's memory on your device until you click "Convert" - they are never sent anywhere until you explicitly upload them
• Magic Bytes Check: Verifies files start with %PDF signature
• Size Limits: 100MB maximum file size, minimum 100 bytes
• Filename Sanitization: Removes dangerous characters using secure_filename()
• Empty File Detection: Rejects zero-byte uploads

Why it matters: Prevents malicious file uploads, code injection, and resource abuse. Your files stay private on your device until you're ready to process them.

Protection against: Malware uploads, path traversal attacks, zip bombs, file-based exploits, unauthorized access

What it does: Restricts which domains can make API requests to the backend.

Why it matters: Prevents unauthorized websites from making requests on behalf of users.

Implementation: Environment-based origin whitelist via ALLOWED_ORIGINS. Production allows only your domain.

Protection against: Cross-site request forgery (CSRF), unauthorized API access

What it does: Adds HTTP headers that tell browsers how to handle security.

• X-Content-Type-Options: nosniff - Prevents MIME-type confusion attacks
• X-Frame-Options: DENY - Prevents clickjacking via iframes
• X-XSS-Protection: 1; mode=block - Enables browser XSS filters
• Strict-Transport-Security (HTTPS only) - Forces HTTPS connections

Why it matters: Provides defense-in-depth against common web attacks.

Protection against: XSS, clickjacking, MIME sniffing, protocol downgrade attacks

What it does: Different error messages for development vs. production.

Why it matters: Production mode returns generic errors, preventing information leakage about server internals, file paths, or system configuration.

Implementation: Detailed errors in debug mode; sanitized responses in production.

Protection against: Information disclosure, reconnaissance attacks

What it does: All traffic encrypted using TLS 1.2+ via Google Cloud Run.

Why it matters: Prevents eavesdropping and man-in-the-middle attacks on file uploads and user data.

Implementation: Cloud Run provides automatic HTTPS; HSTS header enforces it in browsers.

Protection against: Packet sniffing, session hijacking, data interception

What it does: Each request processed in isolated temporary directories.

• UUID-based temp folders in /tmp/pdf2csv/
• 60-second timeout prevents infinite processing
• Automatic cleanup after conversion
• Ephemeral storage - wiped between container restarts

Why it matters: Prevents file collisions, limits resource consumption, ensures no data persistence.

Protection against: Resource exhaustion, file conflicts, data remnants

What it does: Your uploaded PDFs and converted spreadsheets are automatically deleted after processing.

• Immediate deletion: PDFs, spreadsheet download files, and temporary files removed from Cloud Storage immediately after successful download
• Lifecycle policy: Files older than 24 hours are automatically purged as a failsafe.
• No permanent storage: We don't keep copies of your statements or transaction data

Why it matters: Minimizes data exposure window and ensures your financial data isn't retained longer than necessary.

Protection against: Data breaches, unauthorized access to historical data, compliance violations

What it does: Server-side only database writes using Firebase Admin SDK.

Why it matters: Client cannot manipulate transaction counts, subscription status, or payment records.

Implementation: Firestore rules block all client writes; only Admin SDK (server) can modify user records.

Protection against: Data manipulation, privilege escalation, unauthorized access

What it does: Webhook signature verification ensures payment events are authentic.

Why it matters: Prevents fake payment confirmations from granting unauthorized access.

Implementation: stripe.Webhook.construct_event() validates signatures; rejects invalid webhooks.

Protection against: Payment fraud, fake subscription activation, webhook spoofing

What it does: Sensitive credentials stored in environment variables, not code.

Why it matters: Prevents accidental exposure of API keys, database credentials, and signing secrets.

Implementation: .env for local development; Google Secret Manager for production; .gitignore prevents commits.

Protection against: Credential leakage, unauthorized service access

What it does: Server validates free trial limits (25 transactions) before processing.

Why it matters: Prevents users from bypassing payment requirements through client-side manipulation.

Implementation: Transaction count stored in Firestore, checked on every conversion request.

Protection against: Free tier abuse, revenue loss