Sessions are stored in signed HTTP-only cookies with same-site protection and production secure-cookie settings.

Dashboard, deposit, withdrawal, and KYC routes validate the active session server-side before returning data or changing account state.

Login, dashboard, contact, and upload endpoints enforce request windows to reduce brute-force and overload risk.