Security at SlueHub

Families trust SlueHub with medical bills, ledgers, and memories. Here is how that trust is protected — in plain language, describing what is actually built.

Accounts & passwords

Strong password policy (12+ characters, common passwords and personal info rejected), bcrypt hashing, show-nothing password reset, failed-login lockout, and session revocation when a password changes. Email and phone verification are required before joining hubs.

Roles & permissions

Every hub uses Owner / Admin / Member / Viewer roles enforced on the server for every request. Invitations require both invitee acceptance and admin approval, so the wrong person can't join your family's space.

Data in transit & at rest

All traffic is encrypted with HTTPS. Documents and photos live in private object storage and are only reachable through short-lived signed links — there are no public file URLs.

Integrity & audit

Uploads are fingerprinted with SHA-256 so tampering is detectable, financial records carry verification status, and security-relevant actions (logins, uploads, approvals, exports) are recorded in an audit trail hub admins can review.

Abuse protection

Login, signup, verification, invitations, and password reset are all rate-limited. Bot protection (Cloudflare Turnstile) guards public forms. Strict security headers (CSP, frame-ancestors, nosniff) ship on every response.

Responsible disclosure

Found a vulnerability? Email support@sluehub.com with details. We'll acknowledge quickly, keep you informed, and won't take action against good-faith research.

Related: Privacy Policy, Terms of Service, Cookie Policy.

Last updated: July 3, 2026 (beta).