Transport
All production traffic to fresnelpath.com is served over TLS. Connections on port 80 are redirected to HTTPS. The TLS configuration is managed at the infrastructure level and follows current security guidance.
Rate limiting
Analysis API endpoints are rate-limited per IP address. The rate limit is designed to allow normal interactive use while preventing automated bulk queries that would affect service availability for other users. If you encounter rate limit errors during legitimate use, contact us through the form below.
Input validation
Every API request body is validated by Pydantic before it reaches any business logic. FastAPI returns a 422 Unprocessable Entity response on schema mismatch, with the validation errors returned to the caller. Requests with malformed payloads are rejected before any database or propagation computation occurs.
Geographic coordinate inputs are validated against defined bounds. Frequency and power inputs are validated against physically plausible ranges. String inputs are length-bounded.
CORS
Cross-Origin Resource Sharing (CORS) headers are restricted to known hosts. Requests from arbitrary origins are rejected by the CORS middleware at the application layer.
Authentication
Account passwords are not stored in plain text. Session tokens are HTTP-only and not accessible from JavaScript running on the page. The analyzer's core functionality is available without authentication; accounts add project saving and sharing.
Dependencies
Python and Node.js dependencies are scanned for known vulnerabilities as part of the development workflow. Dependencies are updated when security advisories are published for packages in the dependency tree.
What we do not claim
We have not completed a third-party penetration test. We hold no SOC 2 or ISO 27001 certification. FresnelPath is a planning tool, not infrastructure for safety-critical or financial applications. Use it accordingly.
Vulnerability disclosure
If you discover a security vulnerability in FresnelPath — in the application, the API, or on the fresnelpath.com domain — please report it responsibly using the form below. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Any relevant request/response data (redact personal information if it appears)
We will acknowledge receipt within 3 business days and aim to resolve confirmed vulnerabilities promptly. We do not currently offer a bug bounty program, but we credit researchers who report valid issues if they wish to be acknowledged.
Please do not disclose vulnerabilities publicly before we have had the opportunity to investigate and address them.