Security
Last updated: November 9, 2025
Our approach
LockHabit is intentionally simple: a static website serving client-side calculators. We do not store sensitive user data on our servers and avoid building large data stores. This design reduces attack surface and risk.
Key controls
- HTTPS everywhere: All pages are served over TLS.
- Minimal data: Inputs are kept in your browser (localStorage) unless you ask to email results.
- Content Security: We limit third-party scripts to required providers (Google Analytics/AdSense, optional FX API) and review integrations.
- Infrastructure: Hosted on reputable edge/CDN providers with DDoS protection, caching, and managed certificates.
- Secrets management: Any API keys (e.g., FX rates) are scoped and rotated; no secrets are embedded client-side if they grant write or account access.
- Backups & continuity: Source code is version-controlled; deploys are reproducible.
- Vulnerability hygiene: We keep dependencies lean, audit third-party scripts, and ship security patches promptly.
“Email my results” safety
If you use an email feature, we transmit the calculation summary to the address you provide using a reputable email service. We do not create accounts. Transient delivery logs may be retained briefly for troubleshooting and abuse prevention, then aged out.
Your controls
- Use the Reset button on any calculator to clear saved inputs.
- Clear site data in your browser settings to remove localStorage cookies/cache.
- Use modern browsers, keep devices updated, and enable a screen lock.
Responsible disclosure
If you believe you have found a security vulnerability, please email lockhabit@outlook.com with details. We will investigate promptly.
Third-party services
We rely on cloud providers and ad/analytics vendors that maintain their own security programs. Their processing is subject to their terms and privacy policies.
Changes
We may update this page as our stack evolves.