Security Policy | finjex’s Commitment to Data Protection & Encryption

This Security Policy outlines the measures Finjex ("we," "us," or "our") takes to protect our websites finjex.com and finjex.ai, financial planning tools, and related services (collectively, the "Services") from security threats. Our goal is to safeguard user data and maintain a secure platform.

We may update this policy as our security practices evolve. Changes will be reflected by the "Last Updated" date below.

1. Data Protection Measures

Encryption

We enforce secure communication using:

HTTPS Enforcement: All connections to our Services are secured with SSL/TLS encryption via the HTTP Strict-Transport-Security (HSTS) header, set to a 1-year duration (max-age=31536000) and applied to all subdomains.
Secure Reporting: Security researchers can contact us using encrypted channels via our PGP public key, available at https://finjex.com/pgp-key.txt.

Content Security

We restrict resource loading to trusted sources with:

Content-Security-Policy (CSP): Our CSP limits scripts, styles, and fonts to our domain ('self') and trusted CDNs like gstatic.com, preventing unauthorized code execution.
MIME-Type Enforcement: The X-Content-Type-Options: nosniff header prevents browsers from misinterpreting content types, reducing XSS risks.

2. Information Exposure Controls

Referrer Protection: The Referrer-Policy: no-referrer header ensures no referrer information is sent when users navigate away from our site, protecting sensitive URLs.
Server Anonymity: We suppress server software details (e.g., Apache version) and disable the X-Powered-By header to minimize attack surface exposure.
Directory Security: Directory listings are disabled to prevent unauthorized file access.

3. Vulnerability Reporting

We encourage responsible disclosure of security issues through:

security.txt: A standardized file at https://finjex.com/.well-known/security.txt provides contact details and our PGP key for encrypted reporting.
Contact Point: Reach us at security@finjex.com for security concerns.
Hall of Fame: Researchers who report vulnerabilities responsibly may be named and thanked in our Security Hall of Fame.

Commitment to Researchers:

✔ We acknowledge and thank contributors who report issues responsibly.
✔ Reports are reviewed promptly to address potential vulnerabilities.

4. Platform Security

We maintain a secure environment by:

Using trusted third-party services (e.g., Cloudflare, jsDelivr) for content delivery, with strict access controls.
Regularly updating dependencies like Font Awesome, Chart.js, and D3 to patched versions.
Hosting critical assets locally where possible to reduce external exposure.

5. Limitations

While we implement robust security measures, no system is immune to all threats. We continuously monitor and improve our defenses to mitigate risks.

6. Contact Us

For security inquiries or to report vulnerabilities:

Email: security@finjex.com
Web: Security.txt
Encryption Key: PGP Key