Encryption in transit
- TLS 1.2+ (TLS 1.3 supported) on every public endpoint, with managed certificates and automated renewal
- Outbound NRS MBS calls are TLS-encrypted through an authenticated egress gateway with a static, NRS-registered IP
- Secure, httpOnly session cookies with short-lived access tokens; HSTS and hardened response headers on the API
- Inbound webhooks verified with HMAC-SHA256 signatures and timestamp validation; strict CORS allowlist; global rate limiting