WealthOS
Security & Trust

Built so your data and payments stay yours.

We take the boring parts of building a secure product seriously so you don't have to think about them. Here's a plain-English summary of the protections that run on every page, every checkout, and every API call.

Row-Level Security on every table

Your data is isolated at the database layer. Postgres RLS policies ensure you can only ever read your own profile, purchases, and progress — even if a request bypasses our app code.

Webhook-only purchase records

Premium access (Diamond, Black Pearl, individual courses) can only be granted by our verified Stripe webhook. No client, browser, or logged-in user can write to the purchases table — only the trusted backend can.

Payments handled by Stripe

We never see, store, or transmit your card details. Stripe's embedded checkout collects payment data directly inside their PCI-compliant iframe. Each session is signed and verified server-side before access is granted.

Authenticated checkout only

Every checkout request is verified against your Supabase JWT on the server. The user ID is derived from the verified token — never trusted from the request body — which prevents anyone from creating a session on someone else's behalf.

Production-grade security headers

Every page is served with a strict Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Scripts can only load from our origin and Stripe — nothing else.

Strict CORS allow-list

Our backend functions only respond to requests from approved origins (our published domain and local development). Arbitrary third-party sites cannot call our APIs from a browser.

Admin endpoints are gated

Internal maintenance endpoints (e.g. tax code setup) require a server-side admin secret using constant-time comparison. They are unreachable from the public app.

Safe redirects

After signing in, we only ever redirect to paths inside WealthOS. Open-redirect attempts to external domains are sanitized and ignored.

What this means for you

  • Only you can view your own purchases, progress, and profile — enforced by the database itself, not just our code.
  • Course access is only ever unlocked after Stripe confirms a successful payment — there is no "trust the browser" path.
  • Card data is entered directly into Stripe's checkout. We never receive your card number, CVC, or expiry.
  • Our pages can't be embedded by malicious third-party sites, and your session can't be hijacked by injected scripts from unknown origins.

Found something? Tell us.

If you believe you've discovered a security issue, we want to hear about it. Reach out and we'll respond quickly.

Report a security concern