Security & Trust
How MyNikkahOnline protects your data, your privacy, and your account against cyber threats.
Core Security Layers
Encrypted Passwords
Passwords are never stored in plain text. We use industry-standard one-way hashing (bcrypt) with a unique salt per user. Even our own team cannot read your password.
OTP Email Verification
Every new account must verify their email with a one-time password (OTP) before accessing the platform. OTPs expire within 10 minutes and are single-use.
HTTPS / TLS Encryption
All communication between your browser and our servers is encrypted in transit using TLS. Your personal data, messages, and session cookies cannot be read by third parties on the network.
CSRF Protection
Every form submission is protected with a Cross-Site Request Forgery (CSRF) token. This prevents malicious websites from performing actions on your behalf without your knowledge.
Rate Limiting
Login, registration, OTP, and other sensitive endpoints are rate-limited. This blocks automated brute-force attacks and credential-stuffing bots from hammering our API.
Injection Prevention
All database queries use parameterised statements — never raw string concatenation. This fully prevents SQL injection attacks. User-submitted HTML is also escaped before display to block XSS.
Secure Session Cookies
Session cookies are marked HttpOnly (not accessible to JavaScript) and SameSite=Lax (no cross-site sending). In production they are also Secure (HTTPS-only).
Open Redirect Blocked
After login, we validate the redirect destination. External URLs and protocol-relative URLs (e.g. //evil.com) are rejected — you will only ever be redirected within MyNikkahOnline.
Account & Access Security
- Constant-time password comparison prevents timing-based user enumeration attacks.
- Forgot-password flow sends a signed, time-limited reset link (expires in 1 hour). The response message is identical whether the email exists or not — preventing user enumeration.
- Admin accounts are role-gated and require separate elevated privileges to access any management panel.
- Inactive, blocked, or soft-deleted accounts cannot log in.
- All admin and sensitive actions are written to a tamper-evident audit log with timestamp and actor ID.
- Password reset tokens are generated with a cryptographically signed serializer and are single-use.
Data Privacy & Moderation
- Contact details (mobile, email) are never shown publicly. They are only revealed to mutual matches with your consent.
- Profile photos go through a manual admin review before being published — no unmoderated images appear to other users.
- All profile text fields are scanned for vulgar, abusive, or inappropriate content before saving.
- Users can block any profile. Blocked users cannot view your profile, send interest, or message you.
- Any member can report another profile. Reports are reviewed by our moderation team within 24 hours.
- Uploaded private documents (ID proofs) are stored outside the public web root and are never accessible via direct URL.
Infrastructure & Response Headers
- X-Frame-Options: SAMEORIGIN — prevents clickjacking by disallowing our pages from being embedded in iframes on other sites.
- X-Content-Type-Options: nosniff — tells browsers not to sniff MIME types, blocking MIME-confusion attacks.
- X-XSS-Protection — instructs legacy browsers to activate their built-in XSS filter.
- Referrer-Policy: strict-origin-when-cross-origin — limits referrer information sent to third-party sites.
- Content Security Policy (CSP) — restricts which scripts, styles, and resources the browser may load, reducing XSS impact.
- Database connections use connection pooling with pre-ping checks to prevent stale connections from causing data errors.
🔍 Found a Vulnerability?
We take security seriously. If you discover a bug or potential security issue, please report it responsibly to our team. We respond to all reports within 48 hours.
Report a Security Issue