Security

Security posture for Invoice Guard. Controls will continue to harden as provider integrations expand.

Current controls

Accounts use hashed passwords, role-based admin access, CSRF protection for normal app forms, PostgreSQL migrations, and production readiness warnings for unsafe launch settings.

Provider credentials

Use sandbox or restricted read-only provider credentials first. Provider credentials can be revoked from the dashboard.

Operational guidance

Production should use HTTPS, PostgreSQL backups, non-local APP_URL, configured PayPal webhooks, and a monitored business email.

Not allowed

Do not submit provider account passwords or unrestricted live API keys for normal duplicate invoice review.

Report a concern

Email support@invoiceguardhq.com.