Security Statement

Updated 29/06/2024


At Range Mate security is our absolute highest priority. Therefore we take myriad security measures to ensure that the data of our clubs and members is secure and safe. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Range Mate platform.

Web Application Firewall

All Range Mate site traffic is proxied through CloudFlare. We leverage CloudFlare’s Web Application Firewall (WAF) to protect the platform from:

  • Distributed denial of service (DDoS) attacks
  • Blocking of suspicious activity
  • SQL injection, comment spam
  • Possibility of quickly blocking IPs or entire countries

Encrypting Data in Transit

All HTTP-traffic to Range Mate runs over an SSL-encrypted connection and we only accept traffic on port 443. A full, independent report of our grade A+ SSL configuration can be found here. (Warning, the SSL report usually takes about 3-5 minutes to generate)

TLS 1.2 or higher is required for all requests.

During a user agent’s (typically a web browser) first site visit, Range Mate sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Range Mate is specified as HTTP. Additionally, we use HSTS preload, guaranteeing that requests are never – not even the very first – made over a non-encrypted connection. Cookies are also set with a secure flag.

You can verify the status of our security headers here.

Hosting and Database Storage

The Range Mate platform is a hybrid-cloud model, where services are distributed across providers. Custom services are hosted in the Heroku Cloud and we also leverage Amazon Web Services for a number of IaaS products. You can read about the inherited security features of both platforms below:

All data is kept in EU data centres with both providers.

Encrypting Data at Rest, Database

Range Mate’s backend is supported by a Postgres database to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm. Only once an authorised user is granted access to their data will that subset of data be decrypted. For further details around the encryption at rest please see Encryption at Rest on Heroku.

Per-row data encryption

In addition to the full-disk encryption of the entire database listed above, sensitive user data (such as physical address) are encrypted again at a row level by the application using a separate key, again using the AES-256 algorithm. You can read more about how this is done and why it’s useful here.

Encrypting Data at Rest, Files

Static files, such as images and other documents are persisted using AWS S3 storage. All static files are encrypted before they’re stored so while at rest they are encrypted.

Account security

A user gets notified about new account logins via email, and has the ability to remotely revoke login sessions from any of their devices. Session identifier cookies are all set with the appropriate secure flags and prefixes, and have a short (30 minute or 3 month) expiry.

Password Policy and Storage

During an account creation and password update, Range Mate requires a strong password. Password strength is dynamically and securely evaluated on entry using the zxcvbn library. We do not store user passwords: we only store one-way encrypted password hashes using open source audited Bcrypt, including:

  • Cost ratio 2^12 iterations - delaying brute-force attacks
  • Per-user-random-salt - protect against rainbow table attacks and encrypted password matching
  • Password concatenated with two individual app-tokens

If a user incorrectly enters an account password on multiple attempts, the account will be temporarily locked to prevent brute-force attacks.

Following an email change, password change or similar sensitive user account changes occur, the user is always notified in order to quickly be able to respond, should an account attack be occurring.

Multi-factor Authentication

User accounts can be secured further with secure time-based one-time passwords (TOTP). Any RFC 6238 compatible authenticator can be used, including Google Authenticator, 1Password, LastPass and many others.

Request Throttling and Tracking

We employ Rack::Attack middleware for whitelisting, throttling, and tracking based on predefined security limits of the request.

XSS and CSRF Protection

To prevent Cross-Site Scripting attacks (XSS) all output is per default escaped in our Ruby on Rails framework before hitting the browser potentially causing XSS attacks. We avoid the use of the raw() method potentially causing unwanted data being sent to the browser.

In our Ruby on Rails framework protect_from_forgery is enabled and generates a random csrf_token to prevent against Cross Site Request Forgery (CSRF) attacks.

Range Mate uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies. Some of our preferred services for logging and 24h-notification-access are Skylight and Sentry.io.

Additionally, Range Mate has implemented the Content Security Policy (CSP) HTTP header which whitelists which assets (javascripts, images, stylesheets, etc.) the user’s browser should allow to load and execute. A correctly implemented CSP-header effectively eliminates any malicious javascript (XSS attacks), specially crafted files covered up as images, and similar attacks based on the browser’s trust of the served assets.

Monitoring and Notifications

Range Mate uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.

Code Review and static code analysis

We have a strict, enforced code review process that utilised GitHub’s branch protection features. We also employ Dependabot to automatically detect potentially known vulnerabilities through static source code analysis.

All pull requests are reviewed against the OWASP Top 10 web application security risks.

Vulnerability Disclosure

[email protected]

Since launching Range Mate, we’ve invited anyone on the internet to notify us of issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.

Emergency

In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.

Vulnerability Disclosure

Found a vulnerability or other security flaw you need to tell us about? Please send a full report to the email address below.

Email us

[email protected]