Profile & Security

• Name & Email — Update your display name. Email is tied to your login and cannot be changed directly.
• Profile Image — Upload an avatar that appears in the top bar and family views.
• Timezone — Set your timezone so dates and times display correctly.

• Change your password from Settings → Security.
• Passwords must meet minimum length and complexity requirements.
• If you forget your password, use the "Forgot Password" link on the login page to receive a reset email.

MFA adds an extra layer of security by requiring a time-based code from an authenticator app when you log in.

Setup

• Enable MFA in Settings → Security.
• Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.).
• Enter the 6-digit code to confirm setup.

Login Flow

After entering your email and password, you'll be prompted for your MFA code. The session is not fully authenticated until the code is verified.

MFA Session Cookie

Once MFA is verified, a cryptographically signed httpOnly cookie is issued. The cookie value is an HMAC-SHA256 signature of your user ID — it contains no raw credentials and cannot be forged without the server-side secret. The middleware re-verifies this signature on every protected request.

Platform-level security measures include:

• HMAC-signed MFA cookie — The MFA verification cookie uses a tamper-proof HMAC signature, preventing forgery even if an attacker can plant arbitrary cookies.
• Category ownership checks — Budget creation validates that all referenced category IDs belong to the authenticated user before writing to the database.
• Input validation on mutations — All transaction update fields are validated with Zod: string length limits, URL format checks for receipt URLs, and array size caps on tags.
• Magic-byte file validation — Uploaded report files are validated against the %PDF- binary signature, not just the client-supplied MIME type.
• Rate limiting — Sensitive endpoints (login, registration, password reset, MFA verify, family dashboard) are rate-limited per IP.
• httpOnly cookies — Session, MFA, and referral cookies are all set with httpOnly: true so they cannot be read by JavaScript, mitigating XSS token theft.
• CSP + security headers — Content-Security-Policy, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are applied to every response.

Review and manage your consent preferences for terms of service, privacy policy, data processing, and marketing communications. Consent timestamps are recorded and visible in settings.

At the bottom of Settings you can delete your account. This permanently removes all your data including linked accounts, transactions, budgets, and family members. This action cannot be undone.