Security

This page describes what MisarSEO actually does — not a compliance checklist. We are not SOC 2 or ISO 27001 certified, and we won't claim otherwise. Below is what's true in this codebase today, and how to report an issue if you find one.

Authentication

The hosted Service runs one of three explicit auth modes, resolved server-side on every request — never inferred from the client:

  • cloudflare_access (production) — every request's Cloudflare Access JWT is verified against the configured team domain and policy audience before a session is trusted.
  • hosted — email/password via Better Auth, for deployments that don't sit behind Cloudflare Access.
  • local_noauth — a trusted, no-auth mode that only runs in local development; it is never the default in a deployed environment.

Sign-in across the Misar suite goes through id.misar.io — a same-TLD cookie SSO, so a session isn't duplicated per product. Server-to-server callers (the MCP server and the TypeScript SDK) authenticate with a bearer API key that's checked using a constant-time comparison, so response timing can't be used to guess the key.

Fail-closed billing

Paid features are metered through Misar's central Wallet service (1 credit = $1 USD). Every deduction call is fail-closed: a network error, a non-2xx response, or an unparseable reply all resolve to "not allowed" — never to free usage. If the wallet service is unreachable, the feature is blocked, not silently granted.

Rate limiting

Expensive API routes (keyword research, site audits, backlink lookups) are rate-limited per authenticated user with a Redis-backed fixed-window counter. Requests over the limit get a 429 with a Retry-After header instead of being silently dropped or queued indefinitely.

No fabricated data

This isn't a data-privacy claim, but it's a trust claim we hold ourselves to just as strictly: when MisarSEO's free data stack has no honest source for a metric, the API returns a clear "unavailable" response or a null field — never an invented number. See Open Data SEO for how that's implemented across keyword, SERP, and domain-authority data.

Code quality

The codebase runs TypeScript in strict mode. We don't allow unchecked as any casts to paper over type errors. Every change to the API surface keeps the SDK and MCP tool schemas in lockstep with the underlying route, so a client never silently drifts from what the server actually accepts.

Infrastructure

The hosted Service's database runs on Company-controlled infrastructure (self-hosted Supabase/Postgres), not a third-party managed database. Live uptime and incident history for every Misar product, including MisarSEO, is published at status.misar.io.

Reporting an issue

Found a security problem? Email security@misar.io with details and, if possible, steps to reproduce. We don't run a paid bug-bounty program, but we read every report and will follow up. For anything else, see the Contact page.

Stay in the loop

Product updates, new features, and the occasional behind-the-scenes.