Security
Conventional controls, explicit boundaries.
Under Review uses Cloudflare for encrypted HTTPS delivery and authentication. The application independently verifies identity and authorization before accepting changes.
Application controls
- Cloudflare Access identity tokens are cryptographically verified against the configured issuer and audience.
- Write operations require authenticated authorization and CSRF validation.
- Comments, selections, ratings, account changes, and exports are recorded in audit history.
- Security headers restrict framing, content sources, MIME interpretation, and referrer disclosure.
- Original media remains on the configured source platform, including Frame.io where applicable.
Reporting a concern
If you discover a security issue, contact the project owner who provided your workspace link. Include the affected URL, time observed, browser, and a concise reproduction. Do not include authentication cookies, one-time codes, private media, or other secrets.
The machine-readable policy is available at /.well-known/security.txt.