Security & compliance

• libsodium authenticated encryption at rest with AES-256-GCM fallback
• Argon2id password hashing for all accounts
• Mandatory TOTP two-factor for every admin user
• Strict CSP with nonces, X-Frame-Options DENY, HSTS preload
• CSRF synchronizer-token protection on every state-changing request
• Database-backed sliding-window rate limiting
• WCAG 2.2 AA validation on every page before publish
• SSRF protection on all outbound fetches
• Magic-byte MIME detection on every upload

Found a vulnerability? Email security@scanntoss.com. We'll respond within 24 hours.