Security
Keeping your account safe is a shared effort. When you adopt a few simple habits and we put the right protections in place, the chance of anything going wrong stays very low.
What you can do
Account security
- Choose a strong password used only for Tatonia. Make it at least 10 characters with a mix of upper case, lower case, numbers, and symbols. Do not reuse a password from another site.
- Click the verification link we send after sign-up. Unverified accounts cannot post reviews or share adaptations.
- On a shared computer, always use "Log out" when you finish. Do not leave the session open.
- Your username and password are yours alone. Do not share them with anyone, including the Tatonia team. We will never ask for your password.
Device security
- Keep the operating system and browser on the device you use to access Tatonia up to date.
- Be cautious with suspicious emails such as "your account is suspended, click here". Real Tatonia messages come from @tatonia.com or our mail provider. If unsure, contact us directly.
- Do not install browser extensions from unknown sources. They can sometimes access session data.
What we do
Encrypted connection
Encrypted connectionAll traffic to and from tatonia.com travels over an encrypted channel. If you arrive on an unencrypted address, your browser is redirected to the secure one automatically, so nobody on the network can eavesdrop on what you do.
Security headers
Security headersThe HTTP responses we send to your browser carry headers that block hostile sites from wrapping Tatonia. X-Frame-Options DENY prevents another site from embedding Tatonia inside an iframe (clickjacking protection), Content-Security-Policy in report-only mode audits which scripts and resources load and reports unexpected attempts, and headers like Referrer-Policy and Permissions-Policy add another layer of privacy.
Passwords stored in an irreversible form
Passwords stored in an irreversible formYour password is never stored in plain text. It is transformed with an industry-standard one-way process. Even if a database snapshot somehow leaked, nobody could turn it back into the original password. That is why a forgotten password leads to a reset link instead of revealing the old one.
Email verification and password reset
Email verification and password resetVerification is required on every new account. If you forget your password, we send a single-use reset link that expires after one hour. Once used or expired, the link becomes invalid.
Automatic abuse controls
Automatic abuse controlsMany failed logins in a row, repeated password reset attempts, or spammy review submissions are slowed down and, if needed, blocked automatically. This protects your account from automated attacks.
Content checks
Content checksReviews and adaptations pass through an automatic check before going live. Posts containing spam, abuse, or link bombardment go into a moderation queue and are never shown without administrator approval.
Trusted infrastructure
Trusted infrastructureThe site runs on trusted providers (Cloudflare, Vercel, Neon). Database connections, bot protection, and error tracking work together. Our error tracker automatically filters out personal information like emails and IP addresses, so no identifying data ends up in the logs.
Backups and recovery
Backups and recoveryThe database is backed up automatically. We can roll back to any point within the last 7 days, which means an unexpected loss is recoverable. Development and production are kept separate; nothing from testing ever touches the live site.
Reporting a vulnerability
Reporting a vulnerabilityIf you notice a security issue, email [email protected] with the subject "Security". We reply within 48 hours. We appreciate researchers who help; please give us a chance to fix the issue before publishing it.