This page summarises security practices for the Quizora service operated by eRevolutions India. It is not an exhaustive security whitepaper; if you need a custom review, contact us.
Contact: contact@erevolutionsindia.com
1. Transport security
Production deployments of Quizora should use HTTPS and WSS (TLS) for all browser and REST API traffic. WebSocket connections should use the same host and TLS termination as the API (e.g. reverse proxy with valid certificates).
2. Authentication
REST APIs use bearer tokens (JWT). Clients must store tokens securely and never embed them in public URLs. WebSocket connections use the same token in the Socket.IO handshake. Tokens expire and rotate according to server configuration.
3. Passwords & secrets
Server-side secrets (JWT signing keys, database passwords, API keys) must be kept in environment variables or a secrets manager, never in source control. Use long, random values for production keys.
4. Rate limiting & abuse
The API applies rate limiting to reduce automated abuse. Game events are validated server-side; scores and answers are not trusted from the client without verification.
5. Infrastructure
Typical production setups use PostgreSQL and Redis with network isolation, least-privilege database users, and regular backups. Horizontal scaling may use a Redis adapter for Socket.IO so all nodes broadcast consistently.
6. Logging & monitoring
We log operational events for reliability and security. Logs may contain IP addresses and request metadata. Access to logs is restricted to authorised personnel.
7. Vulnerability reporting
If you discover a security vulnerability in Quizora, please email contact@erevolutionsindia.com with a clear description and steps to reproduce. We ask that you give us reasonable time to respond before public disclosure.
8. Your responsibilities
Keep your device OS updated, use official app builds, and do not share account tokens. If you suspect unauthorised access, sign out and rotate credentials where applicable.