Skip to main content

Security Architecture

Finanzapp employs a multi-layered security approach to protect user data and ensure safe financial management. Our security infrastructure separates the frontend presentation layer from backend authentication and data processing, implemented across distributed systems.
The visual interface (UI/UX) is separated from backend logic. All authentication, API handling, and sensitive data operations are managed on our secure remote server at finanzapp.es.

Security Principles

Our platform is built on the following core security principles:

1. Defense in Depth

Multiple layers of security controls protect user data:
  • Client-side validation - Input validation before submission (see js/validationUtils.js:18-28)
  • Server-side validation - Backend verification on remote servers
  • Transport encryption - All communications via HTTPS
  • Session management - PHP session handling with secure configurations

2. Separation of Concerns

The frontend repository contains only UI/UX code. Backend logic, APIs, user registration, login, and personal data management are handled separately on our secure remote infrastructure.
This architectural separation ensures:
  • No sensitive data in the frontend codebase
  • Reduced attack surface for the client application
  • Independent security updates for frontend and backend
  • Centralized security controls on the backend

3. Secure Communication

All client-server communications use:
  • HTTPS protocol for encrypted data transmission
  • Secure endpoints hosted at pro.finanzapp.es
  • XHR headers with X-Requested-With: XMLHttpRequest for AJAX requests
// Example from loginValidation.js:58-59
xhr.open('POST', 'https://pro.finanzapp.es/app/auth/sendLogin.php', true);
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');

4. Input Validation

Comprehensive validation on both client and server:
Email addresses must match standard format patterns:
// From validationUtils.js:19-22
function validateEmail(email) {
    const re = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
    return re.test(email);
}
Passwords must meet minimum security standards:
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one number
// From validationUtils.js:25-28
function validatePassword(password) {
    const re = /^(?=.*[A-Z])(?=.*\d).{8,}$/;
    return re.test(password);
}

5. Session Security

PHP session management with security best practices:
  • Session start check to prevent duplicate sessions (config/config.php:13-15)
  • Language preferences stored in sessions
  • CSRF token protection in forms (login.php:131)

Security Infrastructure

Frontend Repository Scope

What’s included:
  • User interface and visual design
  • Client-side input validation
  • reCAPTCHA v3 integration
  • Google OAuth integration (UI only)
  • Navigation and user experience
What’s NOT included:
  • Authentication logic
  • User credential storage
  • API implementation
  • Database operations
  • Token generation and validation

Remote Server Responsibilities

All sensitive operations are handled on finanzapp.es:
  • User registration and authentication
  • Password hashing and storage
  • Session token generation
  • Database queries and data storage
  • Financial transaction processing
  • Personal information management
This frontend repository does NOT manage authentication tokens, user credentials, or any sensitive data. All access control and authentication are handled securely on the remote server.

Security Standards

Compliance

Finanzapp adheres to:
  • GDPR - European data protection regulations
  • HTTPS everywhere - Encrypted connections for all traffic
  • Secure cookie policies - See Cookie Policy
  • Privacy by design - See Privacy Policy

Data Protection

User data is protected through:
  • Encryption in transit (HTTPS)
  • Encryption at rest (server-side)
  • Access controls and authentication
  • Regular security audits
  • Secure data retention policies

Reporting Security Issues

We take security seriously and appreciate responsible disclosure.

For Frontend Issues

If you discover a vulnerability in the UI/visual implementation:
  • Open an issue in the repository
  • Contact us directly for sensitive matters

For Backend Issues

For vulnerabilities related to the remote server, API, or sensitive data handling, contact our security team immediately:Email: [email protected]
We appreciate community collaboration in maintaining a secure platform.

Authentication

Learn about reCAPTCHA v3, Google OAuth, and brute-force protection

Data Protection

Understand encryption, privacy policies, and data handling practices

Security Contact

For security-related inquiries:

Build docs developers (and LLMs) love

Get started for freeTalk to us