Security
Security at SOUCI is treated as a product feature, not a compliance task. The page below is a frank, technical write-up of how we protect your account, your orders, and the underlying infrastructure — the kind of detail we’d want to read if we were the customer.
Found a vulnerability?
Email [email protected]. We acknowledge within 24 hours, never sue good-faith researchers, and credit you publicly if you’d like. See the Vulnerability disclosure section below for full scope.
Account security
Passwords
- Hashed with salted bcrypt (cost factor 12). We never see, log, or transmit the plaintext.
- Minimum 10 characters; we don’t enforce composition rules — research shows length matters more than complexity.
- Checked on signup and reset against the HaveIBeenPwned Pwned Passwords list. If your password has appeared in a public breach, we won’t accept it.
- No periodic forced rotation. Forced rotation actively reduces password quality (NIST SP 800-63B confirms this) and we’d rather you pick one strong password and keep it.
Phone OTP login (passwordless)
You can sign in with a one-time code sent to your phone instead of a password — a stronger model than passwords because there’s nothing to reuse, leak, or phish. Codes expire in 5 minutes and rate-limit aggressively after 3 wrong attempts.
Sign-in alerts
Every successful sign-in from a new device or new IP geography triggers an immediate email to the address on file: where, when, what browser. If it wasn’t you, the email links straight to a session-revocation flow that signs out everyone everywhere and locks the password reset.
Sessions
- Short-lived (24h sliding) JWTs for the API, full session cookies for the storefront.
HttpOnly,Secure,SameSite=Laxon every authentication cookie.- One-click “Sign out everywhere” in Account details revokes all active sessions across all devices.
Payment security
- All card processing is delegated to Stripe, a PCI DSS Level 1 service provider — meaning the regulated cardholder data never touches our servers.
- The full PAN and CVV are submitted from your browser directly to Stripe via Stripe.js; our backend only ever sees the resulting tokenised reference (
pm_…) and the brand + last-4 for display. - 3D Secure (3DS2 / SCA) is enforced on every transaction in supported regions, regardless of order amount, to neutralise stolen-card replay.
- Saved payment methods are stored as Stripe customer references, encrypted-at-rest by Stripe and bound to your customer ID — they cannot be used outside SOUCI.
- Refunds and disputes are processed through Stripe’s official APIs only. We never request card details by email or phone — anyone who does is impersonating us.
Infrastructure
| Layer | Control |
|---|---|
| Edge | Cloudflare with HSTS preloaded, automatic HTTPS rewrites, OWASP managed WAF rules, bot-detection challenges on the checkout endpoint. |
| Transport | TLS 1.3 only (TLS 1.2 retained for legacy clients), modern cipher suites, OCSP stapling, HSTS max-age=31536000; includeSubDomains; preload. |
| Application | WordPress core + WooCommerce + Souci Mall theme & plugin. CSP enforced. CSRF nonces on every state-changing action. Output escaping by default (no raw concatenation). |
| Database | MariaDB on a private network. Connections require a per-process credential. Encryption at rest via volume-level AES-256. |
| Backups | Daily encrypted backups with 30-day retention. Quarterly restore drills against an isolated environment so the backups are actually known to work. |
| Access | Role-based access control. Production database access requires an approved-list IP, hardware-backed SSH key, and is logged to an immutable audit trail. |
Compliance & audits
- PCI DSS — SAQ A scope (because all cardholder data is processed by Stripe). Annual self-assessment + Stripe’s underlying Level 1 attestation.
- GDPR — full Article 30 records of processing, named DPO, mapped legal bases for every purpose, EU SCCs for transfers to the U.S.
- CCPA / CPRA — consumer requests handled the same as GDPR rights, fulfilled in 30 days max.
- Penetration testing — annual third-party black-box pentest, focused on the checkout flow and account-takeover paths. Latest report available under NDA on request.
Data isolation
SOUCI runs on a single-tenant database — your data does not share a row with any other store, marketplace, or brand. Browse history, wishlist, and order data are scoped to your user ID at the row level and the application enforces it at every query. Backups are encrypted with a key SOUCI controls, not the hosting provider.
Vulnerability disclosure
We welcome reports from security researchers and reward the time you spend with credit, and (where the bug is meaningful) a thank-you bag of SOUCI products. To report a vulnerability:
- Email [email protected] with a clear write-up: affected URL, payload, and the security impact.
- If you find an authentication issue, please use a test account you create — do not exfiltrate or modify other users’ data.
- Give us 90 days to fix before public disclosure. We will keep you in the loop on the patch timeline.
- If we agree the report is in scope and meaningful, you’ll be added to our public Hall of Fame (with handle of your choice) and sent a thank-you parcel.
In scope
- The storefront at sexbaby.net and any subdomain we operate
- Checkout / payment flow (do not actually charge cards — use Stripe test mode)
- Authentication, session management, account-recovery
- Privilege escalation, IDOR, server-side request forgery
- Stored / reflected / DOM XSS
Out of scope
- Self-XSS, clickjacking on pages without sensitive actions
- Issues that require physical access to a victim’s device
- Denial-of-service, resource-exhaustion, brute-forcing without a secondary impact
- Missing security headers without a demonstrated exploit
- Vulnerabilities in third-party services (report directly to them)
Incident response & notification
If a security incident materially affects your personal data, we notify the relevant data-protection authority within 72 hours of discovery and notify you directly (by email at the address on file) without undue delay. The notification includes: what happened, what data was involved, what we’ve done to contain it, what you should do, and how to reach our DPO. We commit to plain English over corporate-speak in any breach notification we send.
Audit logs
Every administrative action — staff sign-in, customer-data view, refund issued, role assigned — is written to an append-only audit log retained for 1 year. The log is reviewed weekly for anomalies and on-demand any time a security report comes in.