Skillet

How Skillet protects your account and data.

Last updated March 11, 2026

Security

Last updated: March 2026

Your recipes, cook logs, and personal data deserve to be protected. Here's how we approach security at Skillet — and where we're honest about our current limitations.

How We Protect Your Account

  • Password hashing — Passwords are hashed with bcrypt before storage. We never store, log, or transmit plain-text passwords.
  • Google OAuth — Sign in with Google to authenticate without sharing a password with us.
  • Session tokens — Sessions use encrypted JWT tokens with expiration and refresh cycles.
  • CSRF protection — All forms and state-changing API requests are protected against cross-site request forgery.

How We Protect Your Data

  • Encryption in transit — Every connection to Skillet uses TLS/HTTPS. No exceptions.
  • Isolated infrastructure — Our application runs in containerized, access-controlled environments.
  • Database security — Database connections are encrypted and not exposed to the public internet.
  • Image storage — Uploaded images are stored in secured cloud storage with scoped access controls.
  • Backups — Regular automated backups protect against data loss.

Application-Level Security

  • Input validation — All user input is validated on both client and server using Zod schemas.
  • Parameterized queries — We use Prisma ORM exclusively. No raw SQL, no string concatenation in queries.
  • Role-based access — Admin functionality is separated from regular user access with enforced role checks.
  • Audit logging — Administrative actions are logged with the actor, action, and details of what changed.

What We Haven't Done Yet

We believe in being direct about where we stand:

  • We have not completed a formal third-party security audit
  • We do not currently offer two-factor authentication (it's planned)
  • We do not hold SOC 2, ISO 27001, or similar certifications
  • We are a small team and our security practices reflect our current stage

As Skillet grows, so will our security posture. We'll update this page as we make progress.

Responsible Disclosure

If you find a security vulnerability in Skillet, we want to hear about it. Please email support@skillet.studio with details. We will:

  • Acknowledge receipt within 48 hours
  • Investigate and work toward a fix promptly
  • Keep you informed of our progress

Please don't disclose vulnerabilities publicly before we've had a reasonable chance to address them. We appreciate the help.

What You Can Do

  • Use a strong, unique password for your Skillet account
  • Don't share your credentials with anyone
  • Sign out on shared or public devices
  • Let us know if you notice anything suspicious: support@skillet.studio

Contact

Security questions or concerns? support@skillet.studio.