Security

Security at Fixmo

Your repair shop data deserves enterprise-grade protection. Fixmo implements multiple layers of security to keep your business, customer, and financial information safe.

Authentication & Sessions

  • Secure, encrypted session cookies that cannot be accessed by JavaScript or third-party scripts
  • Intelligent rate limiting on all authentication endpoints to block brute-force attacks
  • Industry-standard password hashing with adaptive cost factors
  • Automatic session expiration and secure logout across all devices
  • Multi-factor authentication support for administrator accounts

Access Control

  • Granular role-based permissions: Admin, Manager, Technician, Cashier
  • Branch-level data isolation — each branch sees only its own data
  • Cryptographically signed session tokens that cannot be tampered with
  • Automatic permission verification on every API request
  • Protected redirect flows that prevent open redirect attacks

Data Protection

  • All uploaded files are stored privately with time-limited access links
  • Repair tracking uses unique, unguessable share tokens — never database IDs
  • Parameterized database queries on every endpoint prevent SQL injection
  • Strict input validation with business-appropriate limits on all fields
  • Customer data is scoped per shop — complete tenant isolation

Infrastructure

  • HTTPS enforced everywhere with HSTS preload (2-year policy)
  • Content Security Policy restricts which resources the browser can load
  • Clickjacking protection prevents embedding in malicious iframes
  • MIME type sniffing protection on all responses
  • Enterprise-grade DDoS protection and global CDN via Cloudflare
  • Restricted cross-origin resource sharing (CORS) — only authorized domains

Password Security

  • Password reset links expire after 1 hour and work only once
  • Email verification links expire after 24 hours
  • Immediate email notification when your password is changed
  • Prevention of password reuse during reset
  • Separate rate limits per account and per device on all auth flows

Application Security

  • All user-generated content is sanitized before rendering to prevent XSS attacks
  • Strict Content Security Policy prevents unauthorized script execution
  • All numeric inputs validated with minimum and maximum business limits
  • File uploads restricted by type and size with server-side validation
  • Camera access explicitly controlled through browser permissions policy

Security Practices

Regular security audits and code reviews

Time-limited access tokens for all sensitive operations

WebAuthn biometric authentication for admin access

Principle of least privilege across all roles

Privacy-first design — your data belongs to you

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please report security issues directly to our security team — do not open a public GitHub issue.

[email protected]