Defense in depth. Your data fortress.

1 Our Security Commitment

Boreon Industries LLC commits to maintaining AI Church as a secure, responsibly developed platform. Our security commitments:

2 Architecture: Self-Hosted by Design

The most important security property of AI Church is its self-hosted architecture. Your congregation's data — names, contact information, giving records, attendance, pastoral notes, prayer requests — lives exclusively on your server. Boreon cannot be breached for data we don't have.

3 Authentication & Authorization

Password Security

• bcrypt hashing via PHP's password_hash(PASSWORD_DEFAULT) — industry standard, adaptive cost factor
• Minimum password length enforced server-side
• No plaintext password storage anywhere in the codebase
• Default credentials detected at runtime; admins are prompted to change them; banner shown until resolved

Two-Factor Authentication (TOTP)

• RFC 6238-compliant TOTP (Time-Based One-Time Password) implemented in pure PHP — no external library dependency
• QR code generated client-side via locally hosted qrcode.min.js — the secret never transits to an external QR service
• 2FA is mandatory for all self-registered users (role: staff)
• First-run super-administrator may optionally skip during initial setup, but is prompted to enable immediately after
• Backup recovery codes not currently implemented — document your TOTP secret securely

Role-Based Access Control (RBAC)

The platform owner (admin@sermonassist.com) is permanently protected — this account cannot be deleted, disabled, or demoted by any action within the application, including by other super-admins. This is enforced by isProtectedOwner() with server-side guards on all user management actions.

4 Session Security

• Session fixation prevention: session_regenerate_id(true) is called on every successful login, destroying the previous session ID
• Idle timeout: Sessions expire after 8 hours of inactivity (last_seen timestamp checked on every request)
• Absolute timeout: Sessions expire after 30 days regardless of activity (login_at timestamp enforced)
• HttpOnly cookies: The session cookie is not accessible to JavaScript (session.cookie_httponly = 1)
• SameSite=Lax: Prevents cross-site request forgery via cookie submission
• Secure flag: Set automatically when the application is served over HTTPS
• Strict mode: session.use_strict_mode = 1 — prevents session ID fixation from uninitialized sessions
• Only cookies: session.use_only_cookies = 1 — session IDs may not appear in URLs
• Disabled users blocked: Disabled user accounts are refused at login time even with correct credentials and a valid session

5 Application Security

SQL Injection Prevention

Every database query in AI Church uses PDO prepared statements with parameterized queries. String interpolation into SQL is forbidden by convention. There are no raw SQL queries with user-supplied data anywhere in the codebase.

Cross-Site Scripting (XSS) Prevention

• All user-supplied content rendered in HTML is escaped via h() → PHP's htmlspecialchars(ENT_QUOTES|ENT_SUBSTITUTE, 'UTF-8')
• AI-generated content rendered as HTML is first sanitized via DOMPurify (locally hosted, no CDN) before being parsed by marked
• The acEsc() client-side helper escapes values injected into JavaScript contexts
• Content Security Policy (CSP) is set as both an HTTP header and a PHP fallback, preventing inline script execution except for intentional application code

CSRF Protection

• A per-session CSRF token is emitted as window.CSRF in the page <head>
• The global fetch() is patched to automatically include X-CSRF-Token on all non-GET requests
• Every HTML form receives a hidden csrf field (injected by endPage())
• Server-side validation uses hash_equals() (timing-safe comparison) on every authenticated POST
• CSRF validation is fail-closed — a missing or invalid token results in request rejection, never a silent pass

Error Handling

• display_errors = 0 is set at runtime — PHP errors never reach the browser or expose application internals
• All database errors are caught and logged server-side without exposing schema details to users

6 Rate Limiting & Brute Force Prevention

AI Church implements a comprehensive rate-limiting subsystem using an in-database rate_limits table with server-side enforcement:

7 Network Security

TLS / Transport Security

• All outbound server-side connections (SMTP, Anthropic API, Twilio, ChMS integrations) use TLS with certificate verification enabled — self-signed certificates are rejected
• SMTP connections use STARTTLS or direct TLS/SSL based on the configured port
• CR/LF and NUL injection characters are stripped from all email addresses and subjects before SMTP transmission

HSTS

Strict-Transport-Security: max-age=31536000; includeSubDomains is set via .htaccess and as a PHP header fallback, instructing browsers to require HTTPS for all future visits.

8 File Upload Security

• Member photo uploads are validated with getimagesize() — only valid image files pass; arbitrary file uploads are rejected
• Uploaded files are stored in uploads/members/ with PHP execution disabled for that directory (via uploads/.htaccess: php_flag engine off)
• An additional mod_rewrite rule in the root .htaccess blocks any PHP file execution within uploads/ as a defense-in-depth measure
• uploads/index.php contains an empty file to prevent directory listing
• File paths are not user-controllable — the server generates the storage filename

9 Supply Chain Security

This completely eliminates the most common web supply-chain attack vector: a compromised CDN serving malicious JavaScript to millions of sites. Specifically:

• Chart.js, marked, DOMPurify, SheetJS, jsPDF, qrcode.js — all local copies in assets/vendor/js/
• Font Awesome 6.5.1 — complete local copy (CSS + woff2 fonts) in assets/vendor/fa/
• Inter variable font — self-hosted latin + latin-ext variants in assets/vendor/fonts/
• Bootstrap 5.3 — inlined in the application's getCssAndJs() function, no CDN
• 2FA QR codes — generated client-side via local qrcode.min.js; the TOTP secret never transits to an external QR service

External API calls (Anthropic, Twilio, ChMS platforms, Bible API) are server-side integrations, not browser-side script execution. They are made with the user's own credentials and are governed by the respective service's security posture.

10 Data Protection

Database

• The SQLite database file (aichurch.db) is protected by .htaccess with Require all denied — it cannot be downloaded via the web
• WAL and SHM journal files are also blocked
• Database encryption at rest is the responsibility of the host filesystem or disk-level encryption (e.g., LUKS on Linux, BitLocker on Windows Server)
• The settings table stores API keys. On your own server, these are as secure as your file system permissions

Secrets Management

• API keys (Anthropic, Twilio, Breeze, etc.) are stored in the SQLite settings table — never in code, environment variables, or configuration files committed to version control
• The TOTP secret is stored in the users table, accessible only to authenticated super-admins
• Auto-generated tokens (cron_token, ics_feed_token, api_key) are cryptographically random, generated via PHP's random_bytes()

Sensitive File Protection

The following files are blocked from web access via .htaccess:

• aichurch.db, *.db-wal, *.db-shm, *.sqlite — database files
• *.bak*, *.env, *.log, *.sh, *.py, *.docx — backup and configuration files
• CLAUDE.md, DEPLOY.md — internal documentation
• All dotfiles (.git, .env, .htpasswd, editor swap files) — with an exception for .well-known/ (required for ACME/SSL certificate issuance)
• deploy/, Instagram/, LinkedIn/, LEGAL-DOCUMENTATION/ — private tooling and marketing assets

11 Infrastructure (Demo Instance)

The AI Church demo instance at aichurch.boreon.com is hosted on Infomaniak infrastructure in Geneva, Switzerland:

12 Security Headers

AI Church sets the following security headers on all responses, via both .htaccess and PHP-level fallbacks (so they apply even if mod_headers is unavailable):

13 Vulnerability Disclosure

14 Security Changelog

Major security changes by version: