Security overview

How ShelfPilot protects commerce data

ShelfPilot is designed around account-scoped access, server-side token handling, and minimal connector permissions for weekly commerce reporting.

Authentication and sessions

• Passwords are hashed before storage.
• Session tokens are random, stored as hashes, and sent in HTTP-only cookies.
• State-changing requests are checked for same-origin browser behavior.
• Login and signup attempts are rate-limited.

Connector authorization

• Shopify authorization uses OAuth and HMAC validation.
• Amazon Selling Partner authorization uses Login with Amazon/SP-API authorization state checks.
• Connector tokens are scoped to the signed-in user account.
• Production deployments should set TOKEN_ENCRYPTION_KEY and REQUIRE_TOKEN_ENCRYPTION=true.

Data minimization

ShelfPilot requests only the connector data needed for weekly reporting: recent sales, product, inventory, marketplace, advertising, and promotion signals. It does not collect payment card data, buyer passwords, or unnecessary customer identity fields.

Transport and browser protections

• Production traffic is served over HTTPS.
• Security headers include content security policy, frame denial, nosniff, referrer policy, and permissions policy.
• OAuth and session cookies use SameSite=Lax and Secure on HTTPS deployments.

Reporting security issues

Please report suspected vulnerabilities to meng@shelfpilot.io. Include affected URLs, steps to reproduce, and impact. We will acknowledge and triage security reports as quickly as practical.