Security controls built into the portal.

Session state is stored in an HTTP-only cookie signed with HMAC SHA-256 and an eight-hour expiry.

Dashboard and KYC APIs check authentication server-side before returning account data or updating status.

Login, dashboard, contact, and upload endpoints apply bounded request windows to reduce abuse.

Forms use strict schema validation and return safe user-facing messages without raw errors.