> ## Documentation Index
> Fetch the complete documentation index at: https://docs.finscreener.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Data Protection

> How Finscreener protects your data and ensures platform security

## Overview

Finscreener is committed to the security promises made in our [Terms & Conditions](https://finscreener.in/TermAndConditions) and [Privacy Policy](https://finscreener.in/TermAndConditions). This page details the technical measures we implement to protect your data and the platform.

## Authentication & Access Control

### API Key Authentication

* All API keys use the `fsk_` prefix for identification
* Keys are **SHA-256 hashed** before storage — we never store raw keys
* Last-used timestamps are tracked for monitoring

### JWT Token Management

* **Access tokens** expire after 1 hour
* **Refresh tokens** are long-lived for seamless renewal
* Tokens are **blacklisted on logout** (Redis-first, MongoDB fallback)
* Separate signing secrets for access and refresh tokens

### Session Security

* Session cookies are `HttpOnly`, `Secure`, and `SameSite=Lax`
* Sessions have a fixed 24-hour TTL (no sliding window)
* All sessions are invalidated on account suspension

### Role-Based Access Control

* Admin and user roles with granular endpoint-level permissions
* Per-user daily API quotas with automatic reset
* Permission checks on every authenticated request

## Account Protection

### Rate Limiting

Rate limits protect against brute-force attacks:

| Endpoint     | Max Attempts | Window      |
| ------------ | ------------ | ----------- |
| Login        | 10           | 15 minutes  |
| Registration | 3            | 60 minutes  |
| Detail APIs  | 100/day      | Daily reset |

Rate limit headers are included in Developer API responses:

```
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 2026-03-25T23:59:59Z
```

### Account Suspension

Accounts exhibiting suspicious activity may be suspended. Suspended accounts:

* Cannot log in or access any API endpoint
* Have all active sessions immediately invalidated
* Receive a clear error message with support contact info

### IP-Based Blocking

* Malicious request patterns (path traversal, file inclusion, CMS probes) trigger automatic IP bans
* IP blocks are **persistent** (stored in MongoDB, survive server restarts)
* Bans are time-limited (24h for pattern violations, 48h for brute-force)
* Admins can manually block/unblock IPs

### Automated Threat Detection

Every 15 minutes, the platform scans for:

* **Brute-force attacks**: IPs with 20+ failed auth attempts are auto-blocked for 48 hours
* **Credential stuffing**: Accounts targeted by excessive failed logins are flagged

## Data Security

### Encryption

* **In transit**: All connections use TLS/SSL encryption
* **Password hashing**: Bcrypt with 12 salt rounds (industry standard)
* **API keys**: SHA-256 hashed before database storage

### Security Headers

All browser-facing responses include:

| Header                      | Value                             |
| --------------------------- | --------------------------------- |
| `Strict-Transport-Security` | 1 year, including subdomains      |
| `X-Frame-Options`           | DENY (prevents clickjacking)      |
| `X-Content-Type-Options`    | nosniff                           |
| `Content-Security-Policy`   | Restricted to self-origin         |
| `Referrer-Policy`           | strict-origin-when-cross-origin   |
| `Permissions-Policy`        | Camera, mic, geolocation disabled |

Developer API responses include API-appropriate headers instead:

| Header                             | Purpose                            |
| ---------------------------------- | ---------------------------------- |
| `Cache-Control: no-store, private` | Prevents caching of sensitive data |
| `X-RateLimit-*`                    | Rate limit status                  |
| `Strict-Transport-Security`        | HTTPS enforcement                  |

### Sensitive Data Filtering

* Passwords, tokens, API keys, and secrets are **automatically redacted** from all logs
* Authorization and cookie headers are excluded from request logging
* Security events are logged with structured fields for monitoring

## DPDPA Compliance

In accordance with the Digital Personal Data Protection Act, 2023:

### Right to Erasure

Users can permanently delete their account and all associated data via:

```bash theme={null}
DELETE /api/users/me/account
Authorization: Bearer <access_token>
```

This deletes:

* User profile and credentials
* Watchlists, screeners, and saved filters
* API usage records and rate limit data
* AI conversation history
* Credit ledger entries

Financial records (orders, subscriptions) are **anonymized** rather than deleted to maintain audit trail integrity.

### Data Retention

* **Sessions**: Auto-deleted 24 hours after expiry (TTL index)
* **Rate limit records**: Cleaned every 6 hours (records older than 24h)
* **Blacklisted tokens**: Auto-expire based on token TTL
* **IP bans**: Time-limited with automatic expiry

## Security Cleanup Schedule

Automated security maintenance runs on a fixed schedule:

| Job               | Frequency             | What it does                                                              |
| ----------------- | --------------------- | ------------------------------------------------------------------------- |
| Security cleanup  | Every 6 hours         | Removes expired sessions, IP bans, rate limit records, blacklisted tokens |
| Anomaly detection | Every 15 minutes      | Scans for brute-force and credential stuffing patterns                    |
| Cache refresh     | Hourly (7AM-11PM IST) | Refreshes data caches during operating hours                              |

## Reporting Security Issues

If you discover a security vulnerability, please contact us immediately:

* **Email**: [info@finscreener.in](mailto:info@finscreener.in)
* **Response time**: Acknowledgment within 7 business days
* **Resolution**: Within 30 calendar days

<Warning>
  Do not publicly disclose security vulnerabilities before they have been addressed. Please use responsible disclosure practices.
</Warning>
