🔒 Encrypted Connections

All data between your browser and Nabbed is encrypted using HTTPS/TLS, the same as banks. Your browser will show a padlock icon confirming this. We enforce HTTPS on every page and reject unencrypted connections, so third parties can't intercept your data in transit.

🔑 Password Security

Your password is never stored in plaintext. When you create an account, your password is hashed before it's stored. Even if our database were compromised, attackers couldn't recover your actual password from it. We can't see it either. Only you know it.

Session tokens (the things that keep you logged in) are stored securely and rotated regularly to prevent session hijacking.

💳 Payment Security

Nabbed never sees, stores, or processes your card details. All payment information is handled by Stripe, certified to PCI DSS Level 1. When you top up your Nabs balance, your card details go directly to Stripe, not through our servers. We receive only a confirmation that the payment succeeded.

🛡️ Account Protection

Nabbed includes an optional purchase confirmation password feature. When enabled, you must re-enter your password before any purchase goes through. It adds a second layer of protection if someone else gets access to your logged-in device.

Bot and automated abuse protection is applied at the authentication layer to prevent credential stuffing and automated account creation.

🗄️ Database Security

Every table in our database has Row Level Securityenabled. Each user can only access data they're allowed to see. Even if a bug existed in our code, the database itself enforces the boundaries. Queries use parameterised statements, which blocks SQL injection attacks entirely.

Admin-level database access (bypassing user-level security) is restricted to server-side code only, using keys that are never exposed to the browser and are never included in our public codebase.

🏗️ Infrastructure & Hosting

Nabbed runs on enterprise-grade infrastructure. Our web application is hosted on Vercel, which provides automatic DDoS mitigation, global redundancy, and regular security patching. Our database is hosted on Supabase, a SOC 2 Type II certified platform stored in the EU. DNS and additional DDoS protection is provided by Cloudflare.

✅ Input Validation

Every piece of data submitted to Nabbed is validated and sanitised on our server before being processed or stored. This includes checking data types, enforcing length limits, stripping HTML and scripting characters, and rejecting requests that do not match expected formats. We never trust data received from a browser at face value.

⏱️ Rate Limiting & Abuse Prevention

Our API endpoints are rate-limited to prevent brute-force attacks, spam, and automated abuse. Sensitive actions like logging in and purchasing have stricter limits. Accounts showing suspicious behaviour may be temporarily restricted.

🔍 Security Audits

We conduct regular reviews of our codebase and dependencies to identify and address security vulnerabilities. Dependencies are monitored for known security issues and updated promptly when patches are available.

📢 Responsible Disclosure

If you discover a security vulnerability in Nabbed, please report it responsibly to us before disclosing it publicly. Email us at team@nabbedarchive.comwith the subject line "Security Disclosure". Please provide a clear description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and work to address the issue promptly.

We appreciate responsible disclosure and will not take legal action against researchers who report issues in good faith following this process.