Security
Password policies, session management, rate limiting, and account protection.
Workfile takes security seriously. The platform includes multiple layers of protection — from password policies and rate limiting to session management and account lockout.
Authentication
Workfile supports two sign-in methods:
| Method | Description |
|---|---|
| Email + password | Standard email/password authentication |
| Google sign-in | One-click OAuth via Google |
All authentication is handled through the central Workfile ID system. See Workfile ID for details.
Sessions use secure HTTP-only cookies with cross-subdomain support. This means signing in once gives you access across all Workfile products (Store, MealCraft, etc.) without signing in again.
Password policy
| Setting | Default | Description |
|---|---|---|
| Minimum length | 8 characters | Shortest allowed password |
| Strong password | Off | When enabled, requires uppercase, lowercase, number, and special character |
When strong passwords are enabled, the system validates:
- At least one lowercase letter
- At least one uppercase letter
- At least one number
- At least one special character
Session management
| Setting | Default | Description |
|---|---|---|
| Session expiry | 30 days | How long sessions remain valid after last activity |
| Max sessions per user | Unlimited | Maximum concurrent sessions (0 = unlimited) |
You can view and manage your active sessions from Account → Security. Each session shows the device, browser, IP address, and last active time.
If you suspect unauthorized access, go to Account → Security and sign out of all sessions. Then change your password immediately.
Rate limiting
Rate limiting protects against brute force attacks:
| Protection | Default limit |
|---|---|
| Login attempts | 5 per minute per IP |
| Registration attempts | 3 per hour per IP |
| Password reset requests | 3 per hour per IP |
When the limit is exceeded, further attempts are temporarily blocked with a clear error message.
Account lockout
After too many failed login attempts, accounts are temporarily locked:
| Setting | Default |
|---|---|
| Lockout enabled | Yes |
| Failed attempts before lockout | 5 |
| Lockout duration | 15 minutes |
Account lockout is separate from rate limiting. Rate limiting blocks by IP address (stops bots), while lockout blocks the specific account (stops targeted attacks).
CAPTCHA protection
Workfile supports Cloudflare Turnstile for bot protection:
| Setting | Default |
|---|---|
| CAPTCHA on registration | On (when enabled) |
| CAPTCHA on login | Off |
| CAPTCHA on password reset | On (when enabled) |
CAPTCHA is invisible to most users — it only shows a challenge when suspicious activity is detected.
Security notifications
Email alerts for security events:
| Notification | Description |
|---|---|
| New login | Email when signing in from a new device |
| Password change | Email when password is updated |
| Suspicious activity | Email about unusual login attempts |
Enable New login notifications if you manage a team. You'll be alerted whenever someone signs in from an unrecognized device, helping you spot unauthorized access early.
Email verification
When enabled, new users must verify their email address before accessing the dashboard. Verification links expire after 24 hours by default.
Data protection
| Measure | Description |
|---|---|
| Password hashing | Passwords are hashed with bcrypt — never stored in plain text |
| HTTPS everywhere | All traffic is encrypted with TLS |
| Secure cookies | HTTP-only, secure, SameSite cookies |
| PCI compliance | Payment data handled by Razorpay (PCI-DSS compliant) |