Currents
Get started

Security

Built like it handles money.

Currents tracks your financial life. That deserves the same care a real fintech ships with — not the "we'll add security later" approach common to indie products.

Principles

Four ideas that shape every decision.

Minimum data, maximum care.

We collect what we need to run the product, and nothing more. Your transactions exist because you typed them. Operational data (sessions, login events) is kept short — 90 days max — and auto-purged.

Defense in depth.

No single layer is the only line. Auth + CSRF + rate limits + CAPTCHA + headers + logging. If one is bypassed, the next still stands.

Visibility over silence.

You can see every device signed into your account, every recent sign-in attempt, every security event affecting your account. We email you when something unusual happens.

Reversible by default.

Account deletion is soft for 30 days. Password resets are confirmed by email. Sensitive changes trigger notifications. We design for the case where you change your mind, or where someone else is acting as you.

What we do

The specifics.

No abstractions. These are the concrete practices in production right now.

Authentication

  • 01Passwords hashed with bcrypt (cost factor 10) — we never see your plaintext password
  • 02Email verification required before app access
  • 03Password reset via signed, single-use, one-hour tokens
  • 04Session invalidation on password change — every device signed out immediately
  • 05Optional OAuth sign-in (Google) — no password to leak

Session management

  • 01JWT sessions bound to a cryptographically unique session identifier
  • 02Session version stored server-side and checked on every authenticated request — invalidation takes effect within seconds
  • 03Active sessions visible in Settings → Security with device, IP, and last-seen time
  • 04Per-session revocation, or sign-out-all-other-devices with one click
  • 05Inactive sessions auto-purged after 90 days

Request integrity

  • 01CSRF protection on every state-changing endpoint (double-submit with HMAC signature)
  • 02All traffic encrypted in transit with TLS
  • 03Strict Content Security Policy preventing inline-script injection
  • 04X-Frame-Options DENY — Currents can't be embedded in iframes (anti-clickjacking)
  • 05HSTS with two-year max-age for browsers that have seen Currents
  • 06Cross-Origin policies (COOP/CORP) preventing cross-origin attacks

Abuse prevention

  • 01Rate limits on every auth endpoint (5/min login per IP+email, 3/hour signup, 3/hour password reset)
  • 02Cloudflare Turnstile CAPTCHA on signup and password reset — privacy-first, no Google
  • 03Login attempts logged (successful and failed) with IP and device, visible to the user
  • 04New-device email alerts when an unrecognized fingerprint signs in
  • 05Account enumeration prevented — forgot-password endpoint always returns success

Data handling

  • 01Data encrypted at rest by our database provider (MongoDB Atlas)
  • 02Every API route enforces user-scoped queries — no path through the codebase reveals another user's data
  • 03Tokens (email verification, password reset, restore) stored as SHA-256 hashes — useless if the database leaks
  • 04Soft-delete with 30-day restore window — accidental deletions can be reversed
  • 05Hard delete after 30 days via automated cron — cascades through all user data (transactions, accounts, categories, budgets, tokens, sessions)

Operational

  • 01Security headers (CSP, HSTS, Referrer-Policy, Permissions-Policy, etc.) sent on every response
  • 02Environment secrets isolated per environment; never committed to source control
  • 03Dependencies kept current; security advisories monitored
  • 04Errors logged server-side without leaking sensitive details to clients
  • 05Cookies marked Secure and SameSite=Lax where applicable

Equally important

What we don't do.

We don't analyze your transactions.

No machine learning on your spending patterns. No category-level analytics shipped to third parties. We don't know what you spent on last Tuesday, and we don't want to.

We don't sell or share data.

No data brokers. No advertising partners. No "anonymized aggregated insights" sold to marketers. The only third parties who touch your data are the infrastructure providers required to run the service — listed transparently in our Privacy Policy.

We don't use trackers or ad SDKs.

No Facebook Pixel, no Google Analytics, no Segment, no Mixpanel, no LogRocket. Inspect the network panel — what you'll see is our own API and the small number of services that make the app work.

Found a vulnerability?

If you believe you've found a security issue in Currents, please report it responsibly. We treat security reports with priority and gratitude.

How to report:

  1. Email mdsabbirhowlader420@gmail.com with the subject line starting [Security]
  2. Include a clear description of the issue, reproduction steps, and the impact you believe it has
  3. Give us a reasonable window to investigate and fix before publicly disclosing

What we ask:

  • Don't access, modify, or exfiltrate data that isn't yours
  • Don't use automated scanners that generate heavy load
  • Don't test denial-of-service attacks
  • Don't social-engineer users, staff, or contractors

We don't have a formal bug bounty yet, but if your report leads to a fix we'll publicly credit you (with your permission) in the changelog, and as paid plans launch we'll set aside budget for meaningful payouts on critical issues.

Email security report

More questions?

See the FAQ or read the Privacy Policy. For anything not answered there, email directly.

Try Currents freeContact
Security — Currents — Currents