Security & Trust
FightVex handles real payments and personal accounts, so we treat security as a feature, not an afterthought. Here, in plain language, is exactly how we protect you — and an honest note on what security can and can't promise.
Your payment details never touch our servers
All payments run through Stripe Checkout, a PCI-DSS Level 1 certified processor. Your card number is entered on Stripe's own hosted page — it is never sent to, processed by, or stored on FightVex. We only ever receive a confirmation that a payment succeeded, tied to your account. Every message Stripe sends us is cryptographically signature-verified and replay-protected before we act on it, so no one can forge an upgrade.
Your password is never stored in a readable form
We never store, log, or email your password. It is run through scrypt — a deliberately slow, memory-hard hashing function — with a unique random salt per account, and only that one-way hash is saved. Even in the unlikely event of a database leak, passwords cannot simply be read out. Password checks use a constant-time comparison so attackers can't learn anything from timing.
Sessions you control
When you log in we issue an opaque, random session token stored server-side and held in a cookie that is HttpOnly (invisible to scripts), Secure (HTTPS only) and SameSite (resistant to cross-site abuse). The cookie itself carries nothing sensitive. Changing your password instantly revokes every other session on every device — so if you ever suspect something, one password change locks everyone else out.
Locking out attackers
Login is throttled two ways: per source (one machine can't hammer the login) and per account(so an attack spread across many machines still can't grind one victim's account). Sign-ups and sensitive actions are rate-limited too, and we never reveal whether an email is registered.
Encrypted, locked-down delivery
The whole site is served over HTTPS only, with HSTS(browsers refuse to connect insecurely) and a strict set of security headers: a Content-Security-Policy, clickjacking protection (the site can't be framed), MIME-sniffing protection, a tight referrer policy and a locked-down permissions policy. We don't advertise our framework or versions.
We collect little, and watch closely
Your account holds only what it needs — your name, email, the one-way password hash, and your plan. No card data, ever. Failures in payment and account paths raise real-time alerts so problems are caught fast, and access to the data store is restricted and encrypted in transit.
Responsible disclosure
Security is a process, not a finish line. If you find a vulnerability, please tell us first at security@fightvex.com (see our security.txt) — we welcome good-faith reports and will work with you.
The honest part
No website, anywhere, can truthfully promise it is "100% unhackable" — and you should be wary of any that does. What we can promise is defense-in-depth: multiple independent layers so that no single failure exposes you, the smallest blast radius we can manage, and fast detection and recovery. We keep hardening as threats evolve. That is how serious platforms protect people, and it's how we protect you.
FightVex is informational analytics and entertainment, not betting or financial advice. 21+. See our Privacy Policy and Terms.