Your data is protected by design
Finent is built with security as a first-class concern — not an afterthought. Here's exactly what we do to keep your account and financial data safe.
Encryption in transit
Every request to Finent is served over HTTPS with TLS. HTTP connections are automatically redirected to HTTPS and HTTP Strict Transport Security (HSTS) headers instruct browsers to always use a secure connection.
Authentication cookies are marked Secure and HttpOnly so they can only be sent over HTTPS and are never accessible from JavaScript.
Authentication & account protection
PBKDF2-SHA256 password hashing
Passwords are hashed using a PBKDF2-SHA256 algorithm with a random per-user salt. Your plain-text password is never stored or logged.
Account lockout
After five failed login attempts your account is locked for 15 minutes. This prevents automated brute-force attacks from ever succeeding.
Two-factor authentication
Optional TOTP-based 2FA is available from your account settings. Enable it to require an authenticator app code alongside your password at every login.
Rate limiting
Login and registration endpoints are protected by a fixed-window rate limiter. Excessive requests from a single IP are rejected with HTTP 429.
Email confirmation
New accounts must confirm their email address before signing in. This prevents account creation with addresses you don't own.
Secure password reset
Password-reset links are single-use, time-limited tokens delivered to your confirmed email address. They cannot be reused after the first click.
Application-level protections
CSRF protection
Every state-changing form (login, data entry, account management) includes an anti-forgery token validated server-side. Cross-site request forgery attacks are blocked.
Data isolation
Every database query is scoped to the authenticated user's ID. There is no way to access another user's expenses, incomes, or goals through the application.
Open source
Finent's source code is publicly auditable on GitHub. There are no hidden behaviours, no obfuscated code, and no black-box libraries handling your financial data.
Secret management
Production secrets (database credentials, email API keys) are stored in a secure secret store and loaded at runtime. They are never committed to source control.
Parameterised queries
All database access goes through a query builder with parameterised queries. Raw SQL injection is not possible through any user-supplied input.
No third-party tracking
There are no advertising networks, analytics scripts, or third-party SDKs that can observe your usage or financial data.
Found a vulnerability?
If you discover a security issue, please report it responsibly by emailing us directly rather than disclosing it publicly. We will acknowledge the report promptly and work to resolve it as quickly as possible.
Report a VulnerabilityYour security matters
Have a question about how we protect your data? Read our privacy policy or get in touch.