Security

We keep the production footprint fairly small, limit access to the systems that matter, and prefer reviewable deployment and publishing flows over opaque magic. Smaller systems are easier to reason about, especially when you are still moving fast.

Sensitive operations stay server-side. Account access is gated behind authenticated sessions, and integration credentials are issued through the product rather than pushed into client-side code.

RankFirst uses scoped site credentials for integrations and signs revalidation webhooks so receiving apps can verify that a callback really came from RankFirst. We also support revoking and rotating site credentials when needed.

We rely on managed infrastructure and storage providers for core hosting, background job execution, and file handling. Transport security, access control, logging, and secret management depend partly on those providers and partly on our own operational discipline.

Deployments are handled through reviewable workflows, and access to production systems is kept limited. When a secret or webhook target changes, we would rather rotate it than pretend it is fine forever.

Keep your account login, API keys, and webhook secrets private. Review generated content before publishing it, especially if you are using automated workflows on a live site.

If you connect RankFirst to a production app, make sure your receiving endpoints validate signatures, keep `.env` files out of version control, and remove old credentials when they are no longer needed.

If you find a vulnerability, contact us through the current beta support channel with enough detail to reproduce the issue safely. Useful reports include steps, affected URLs, impact, and whether the issue is already public.

We do not claim perfect security, formal certification, or constant monitoring of every edge case. We do claim that security work is part of the product surface, and we treat real reports seriously.