Security

CareerID is built with security and consent at the architecture level — not as an afterthought.

Server-side data access only

All calls to the data layer are made server-side via Netlify Functions. No API keys are exposed to the browser. Client-side code never directly accesses the database.

Consent enforcement

The employer view is enforced server-side. It will not return data unless a valid, active, non-expired consent grant exists for the specific individual and the requesting organisation. This cannot be bypassed by the client.

Structured audit logging

All consent grants, revocations, employer access attempts (successful and denied), and data exports are logged as structured JSON events on the server. No audit events are generated client-side.

Security headers

X-Frame-Options: DENY — prevents clickjacking
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy — camera, microphone, and geolocation disabled
Content-Security-Policy — restricts resource origins to prevent cross-site scripting

Responsible disclosure

If you believe you have found a security vulnerability in CareerID, please contact us at contact@careerid.co.uk. We will respond within 5 working days.

Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.