Security
Your operation's data, handled carefully
Schedules, member records, logbooks, and billing are the operating history of your school or club. Here is exactly how Hobbstack protects them — in plain language.
Accounts and sessions
Sessions live in httpOnly cookies
Session tokens are stored exclusively in httpOnly, secure cookies — never in localStorage or sessionStorage — so they are not readable by page scripts, which removes the most common token-theft vector for web apps.
Passwords are hashed with bcrypt
Passwords are stored only as bcrypt hashes with per-password salts. We can't read your password, and login timing is equalized so an attacker can't use response timing to discover which emails have accounts.
Rate limiting on every surface
Login, registration, and password-reset endpoints have strict per-endpoint rate limits, backed by a global request-rate limiter — so credential-stuffing and brute-force attempts are throttled at the platform level.
Cross-site request forgery protection
State-changing requests are protected by CSRF middleware in addition to strict cross-origin rules, so another website can't silently submit actions using your logged-in session.
Authorization inside your organization
Capability-based permissions
Access is governed by fine-grained capabilities (for example schedule.all, billing, maintenance), not coarse role labels. Org admins can tailor roles, and the backend checks the capability — not the role name — on every request.
Every endpoint authenticates
There are no anonymous data endpoints. Every API route requires an authenticated session, and mutations additionally verify that the requester has the right capability in the right organization for the specific record being changed.
Strict input and output contracts
All request bodies are validated against typed schemas before any processing, and responses are built from explicit field allowlists — raw database records are never serialized to clients.
Payments
Card data never touches our servers
Subscription payments run through Stripe-hosted Checkout. Card numbers are entered on Stripe's PCI-compliant pages and are never transmitted to, processed by, or stored on Hobbstack infrastructure.
Data protection
Encrypted in transit
All traffic — the app, the API, and this site — is served exclusively over HTTPS/TLS.
Encrypted at rest
Production data is stored with storage-level encryption at rest on our infrastructure provider, so physical access to the underlying disks does not expose your data.
No third-party advertising cookies
Hobbstack sets no third-party advertising cookies anywhere. Site analytics on this marketing site are cookie-free. Details are in the privacy policy.
Found a security issue?
We want to hear about it before anyone else does. Report suspected vulnerabilities through the contact form — it pre-fills a security-report template so your report reaches the people who can fix it, flagged correctly.