Security at SlueHub
Families trust SlueHub with medical bills, ledgers, and memories. Here is how that trust is protected — in plain language, describing what is actually built.
Accounts & passwords
Strong password policy (12+ characters, common passwords and personal info rejected), bcrypt hashing, show-nothing password reset, failed-login lockout, and session revocation when a password changes. Email and phone verification are required before joining hubs.
Roles & permissions
Every hub uses Owner / Admin / Member / Viewer roles enforced on the server for every request. Invitations require both invitee acceptance and admin approval, so the wrong person can't join your family's space.
Data in transit & at rest
All traffic is encrypted with HTTPS. Documents and photos live in private object storage and are only reachable through short-lived signed links — there are no public file URLs.
Integrity & audit
Uploads are fingerprinted with SHA-256 so tampering is detectable, financial records carry verification status, and security-relevant actions (logins, uploads, approvals, exports) are recorded in an audit trail hub admins can review.
Abuse protection
Login, signup, verification, invitations, and password reset are all rate-limited. Bot protection (Cloudflare Turnstile) guards public forms. Strict security headers (CSP, frame-ancestors, nosniff) ship on every response.
Responsible disclosure
Found a vulnerability? Email support@sluehub.com with details. We'll acknowledge quickly, keep you informed, and won't take action against good-faith research.
Related: Privacy Policy, Terms of Service, Cookie Policy.
Last updated: July 3, 2026 (beta).