How we protect the stack

Security

Security is built around HTTPS, least privilege, explicit linking, protected infrastructure, and controlled review. Players are also expected to protect their own access and use official channels for security concerns.

Read the page Back to legal hub
πŸ”
Least privilegeNot every system, staff role, or automation gets access to every record or feature.
core rule
🧯
Report issues responsiblySecurity issues should come through controlled channels, not public exposure or destructive testing.
required
☁️
Protected edgeThe site is served behind HTTPS and Cloudflare-backed infrastructure protections.
live
Least privilege core ruleReport issues responsibly requiredProtected edge liveLeast privilege core ruleReport issues responsibly requiredProtected edge live
πŸ‘€ What players should do

Security is shared. The platform protects the stack, and players protect their own access chain.

Protect your account

Do not share passwords, verification codes, or recovery links. Do not trust unofficial requests for credentials or supposed shortcut verification.

  • Use official domains and flows.
  • Treat one-time codes like secrets.
  • Report suspected compromise quickly.

Recognize suspicious behavior

Unexpected unlinks, suspicious verification prompts, unknown connected accounts, or support messages asking for secrets should be treated as red flags.

  • Use dashboard review tools where available.
  • Open a support or security report when something feels wrong.
  • Do not continue a suspicious flow just to see what happens.
🧱 How the platform is designed

The goal is not absolute invulnerability. The goal is a layered system where identity, permissions, infrastructure, and review all reinforce each other.

Core controls

The stack uses HTTPS, role-based access, protected internal routes, explicit account-linking flows, infrastructure hardening, and audit trails around high-risk actions.

  • Least privilege access rules.
  • Role- and workflow-gated protected routes.
  • Logging around sensitive changes and review events.

What we do not promise

No modern system can promise perfect security or zero incidents. We can promise deliberate design, review, and response paths.

  • Security events may still happen.
  • Some features may be paused while issues are investigated.
  • Records may be retained for incident response.
πŸ“¨ Vulnerability reporting

If you find a real issue, we want it reported responsibly instead of exposed theatrically.

What to include

Describe what you found, how it was observed, what area it affects, and enough detail for review without causing further exposure.

  • A concise reproduction path when safe.
  • Affected page, flow, or system.
  • Impact and urgency if known.

What not to do

Do not publicly disclose unreviewed vulnerabilities, destroy data, access another player’s information, or use the finding for leverage.

  • No destructive testing.
  • No harvesting of protected information.
  • No public posting before coordinated review.
References

This page follows the source references captured in the Prozilli Website Legal Manual and updates as the operating systems behind the city grow.

R1R9R10