How we protect the site
Incredible is intentionally small: no login system, no admin surface on the public site, and one simple board for product requests. That makes the attack surface easier to reason about and easier to secure.
Transport security
Traffic to the site is served over HTTPS. Standard browser requests are protected in transit with TLS.
Minimal public surface
The site exposes a small set of routes: marketing pages, a public feedback board, and a narrow board submission API. Login, dashboard, and admin flows have been removed from this fork.
Board data handling
New submissions enter review first. Public board responses include only fields meant to be visible, such as type, title, description, public status, support count, update text, and timestamps. Optional email is stored for follow-up but is not returned in the public board response.
Infrastructure
The website is hosted separately from the board database. When the board backend is configured, submissions are stored in Supabase and the site fetches only the fields needed for the public roadmap view.
Report an issue
If you find a vulnerability, please report it privately before going public. Email hello@incredible-app.com.