Security
Trust is the product, so the security model is public. Here's how Oritavo protects accounts and results.
Sessions and authentication
Passwords are hashed with bcrypt and never stored or logged in plain text. Sessions use short-lived signed tokens kept in an HttpOnly cookie — inaccessible to scripts in the browser — and signing out revokes outstanding tokens server-side, not just locally. Sign-in with Google or Yahoo uses the standard authorization-code flow; provider tokens are used once, server-to-server, and discarded.
Assessment integrity
Question and choice shuffling is fixed per attempt by a server-signed token, so answers can't be mapped across attempts or shared between students meaningfully. Time limits anchor to the first open of an attempt. Attempt cooldowns and rate limits blunt brute-force strategies, and rapid-retry patterns are flagged to instructors.
Application hardening
All traffic is HTTPS. The browser talks only to the web tier; the API accepts requests solely from it, authenticated by a shared secret. Responses carry a strict Content-Security-Policy and related headers. Uploaded images are verified at the byte level — a file merely named like an image is rejected. Sensitive endpoints are rate-limited per account and per address.
Reporting a vulnerability
Found something? Email security@oritavo.com with steps to reproduce. We read every report, we won't pursue good-faith research, and we credit fixes if you'd like.