Hair Wellness Lab
Security
We take security and privacy seriously. Here is a plain-language overview of the measures we take to protect you and your crown data.
Last updated: March 2026
How We Protect Your Data
All data transmitted between your browser and our servers is encrypted in transit using TLS (HTTPS). Data at rest is encrypted by Supabase using industry-standard PostgreSQL encryption practices.
We do not store payment card numbers or CVV codes. All billing is handled by Stripe, which is certified to PCI-DSS Level 1 โ the highest level of payment security certification.
Authentication tokens are managed by Supabase and stored in secure, HttpOnly cookies where possible. We do not expose raw session tokens in URL parameters or client-accessible localStorage.
Input Validation
All user-submitted data โ including quiz responses, journal entries, and community posts โ is validated and sanitized both on the client and on the server before being stored or processed.
API routes authenticate every request before allowing any read or write operation. Row-Level Security (RLS) policies on our Supabase database ensure users can only access their own data, even if an API route were misconfigured.
We parameterize all database queries to prevent SQL injection. User-generated content is escaped before rendering to prevent cross-site scripting (XSS).
Secure Headers & Content Security Policy
Every page on Hair Wellness Lab is served with a strict set of HTTP security headers to reduce the attack surface:
Content-Security-Policy โ Restricts which scripts, styles, images, and connections can load on each page. Only trusted sources (our own domain, Supabase, Stripe) are permitted.
Strict-Transport-Security โ Forces HTTPS for 2 years and includes subdomains. We are eligible for browser HSTS preloading.
X-Content-Type-Options โ Prevents browsers from guessing the MIME type of a response, stopping a class of MIME sniffing attacks.
Referrer-Policy โ Ensures that cross-origin navigation only sends the origin (not the full URL), protecting user privacy.
Permissions-Policy โ Disables access to device APIs we do not use: camera, microphone, geolocation, USB, and others.
Cross-Origin-Opener-Policy โ Isolates our browsing context to prevent cross-origin info leakage via shared memory attacks.
Clickjacking Protection
Hair Wellness Lab pages cannot be embedded in iframes on other websites. We enforce this with two complementary mechanisms:
frame-ancestors 'none' โ The Content-Security-Policy header instructs modern browsers to refuse embedding this site in any frame or iframe.
X-Frame-Options: DENY โ A legacy header that provides the same protection for older browsers that do not fully support CSP.
These controls prevent attackers from overlaying a hidden version of our site inside another page to trick users into clicking buttons without realizing it.
Two-Factor Authentication (2FA)
Two-factor authentication adds a second verification step when signing in โ making your account much harder to compromise even if your password is guessed or leaked.
We are actively building 2FA support for Hair Wellness Lab accounts using Supabase MFA (multi-factor authentication). When available, you will be able to enable it from your Security Settings.
In the meantime, we recommend using a strong, unique password for your Hair Wellness Lab account and ensuring your email account also has 2FA enabled, since email is your account recovery method.
Account Deletion
You have the right to permanently delete your account and all associated data at any time.
Deletion removes your profile, crown journal entries, quiz results, scalp logs, check-in history, community posts, and all other data linked to your account from our systems. This action is irreversible.
You can request account deletion from your Settings page or from the Security section of your dashboard. You will be asked to type a confirmation phrase before deletion proceeds.
Cookies & Consent
Hair Wellness Lab uses a small number of cookies and browser storage mechanisms.
Essential โ Required for authentication, session handling, and core site functionality. These cannot be disabled without breaking the service.
Analytics (optional) โ Used to understand how visitors use the site. Only loaded if you explicitly consent via the cookie banner.
Marketing (optional) โ Used for newsletters and promotional communications. Only active with your consent.
On your first visit, a cookie consent banner gives you full control over optional categories. You can review and change your preferences at any time via the banner. We store your choice in your browser's localStorage under the key cookie_consent.
Reporting Security Concerns
If you discover a security vulnerability in Hair Wellness Lab, please report it responsibly. Do not publicly disclose the issue until we have had a chance to investigate and address it.
To report a security concern, email us directly at:
hello@hairwellnesslab.comPlease include as much detail as possible: the affected URL, steps to reproduce, and your assessment of the impact. We will acknowledge your report within 3 business days and keep you informed as we work to resolve it.
We appreciate responsible disclosure and thank you for helping us keep the Hair Wellness Lab community safe.
ยฉ 2026 Wynn Essentials LLC ยท All rights reserved