Overview
Finscreener is committed to the security promises made in our Terms & Conditions and Privacy Policy. This page details the technical measures we implement to protect your data and the platform.
Authentication & Access Control
API Key Authentication
- All API keys use the
fsk_ prefix for identification
- Keys are SHA-256 hashed before storage — we never store raw keys
- Last-used timestamps are tracked for monitoring
JWT Token Management
- Access tokens expire after 1 hour
- Refresh tokens are long-lived for seamless renewal
- Tokens are blacklisted on logout (Redis-first, MongoDB fallback)
- Separate signing secrets for access and refresh tokens
Session Security
- Session cookies are
HttpOnly, Secure, and SameSite=Lax
- Sessions have a fixed 24-hour TTL (no sliding window)
- All sessions are invalidated on account suspension
Role-Based Access Control
- Admin and user roles with granular endpoint-level permissions
- Per-user daily API quotas with automatic reset
- Permission checks on every authenticated request
Account Protection
Rate Limiting
Rate limits protect against brute-force attacks:
| Endpoint | Max Attempts | Window |
|---|
| Login | 10 | 15 minutes |
| Registration | 3 | 60 minutes |
| Detail APIs | 100/day | Daily reset |
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 2026-03-25T23:59:59Z
Account Suspension
Accounts exhibiting suspicious activity may be suspended. Suspended accounts:
- Cannot log in or access any API endpoint
- Have all active sessions immediately invalidated
- Receive a clear error message with support contact info
IP-Based Blocking
- Malicious request patterns (path traversal, file inclusion, CMS probes) trigger automatic IP bans
- IP blocks are persistent (stored in MongoDB, survive server restarts)
- Bans are time-limited (24h for pattern violations, 48h for brute-force)
- Admins can manually block/unblock IPs
Automated Threat Detection
Every 15 minutes, the platform scans for:
- Brute-force attacks: IPs with 20+ failed auth attempts are auto-blocked for 48 hours
- Credential stuffing: Accounts targeted by excessive failed logins are flagged
Data Security
Encryption
- In transit: All connections use TLS/SSL encryption
- Password hashing: Bcrypt with 12 salt rounds (industry standard)
- API keys: SHA-256 hashed before database storage
All browser-facing responses include:
| Header | Value |
|---|
Strict-Transport-Security | 1 year, including subdomains |
X-Frame-Options | DENY (prevents clickjacking) |
X-Content-Type-Options | nosniff |
Content-Security-Policy | Restricted to self-origin |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | Camera, mic, geolocation disabled |
| Header | Purpose |
|---|
Cache-Control: no-store, private | Prevents caching of sensitive data |
X-RateLimit-* | Rate limit status |
Strict-Transport-Security | HTTPS enforcement |
Sensitive Data Filtering
- Passwords, tokens, API keys, and secrets are automatically redacted from all logs
- Authorization and cookie headers are excluded from request logging
- Security events are logged with structured fields for monitoring
DPDPA Compliance
In accordance with the Digital Personal Data Protection Act, 2023:
Right to Erasure
Users can permanently delete their account and all associated data via:
DELETE /api/users/me/account
Authorization: Bearer <access_token>
- User profile and credentials
- Watchlists, screeners, and saved filters
- API usage records and rate limit data
- AI conversation history
- Credit ledger entries
Financial records (orders, subscriptions) are anonymized rather than deleted to maintain audit trail integrity.
Data Retention
- Sessions: Auto-deleted 24 hours after expiry (TTL index)
- Rate limit records: Cleaned every 6 hours (records older than 24h)
- Blacklisted tokens: Auto-expire based on token TTL
- IP bans: Time-limited with automatic expiry
Security Cleanup Schedule
Automated security maintenance runs on a fixed schedule:
| Job | Frequency | What it does |
|---|
| Security cleanup | Every 6 hours | Removes expired sessions, IP bans, rate limit records, blacklisted tokens |
| Anomaly detection | Every 15 minutes | Scans for brute-force and credential stuffing patterns |
| Cache refresh | Hourly (7AM-11PM IST) | Refreshes data caches during operating hours |
Reporting Security Issues
If you discover a security vulnerability, please contact us immediately:
- Email: info@finscreener.in
- Response time: Acknowledgment within 7 business days
- Resolution: Within 30 calendar days
Do not publicly disclose security vulnerabilities before they have been addressed. Please use responsible disclosure practices.
