Every conversation with Max is protected by HTTPS, with Strict Transport Security enforced across all subdomains for a full year. Once a browser has seen this header it will refuse to connect over plain HTTP at all. Clickjacking is blocked at the infrastructure level so Max cannot be embedded in external iframes, and content type sniffing is disabled across all responses to prevent browsers from misinterpreting files and executing content they shouldn't. These protections are active on every request without exception.
Magic Memory is keyed to a cryptographically random identifier generated per device and stored as a hashed file outside the web root, unreachable via any HTTP route. Session cookies are configured as Secure, HttpOnly, and SameSite Strict so they cannot be read by JavaScript, cannot travel over unencrypted connections, and cannot be sent cross-site. All credentials and configuration live two directories above the public web root and are inaccessible to any external request by any route.
Every message Max receives is validated before it reaches the model. SQL injection patterns, cross-site scripting vectors, iframe injection attempts, JavaScript execution strings, and encoded payloads are detected and rejected at the application layer before any processing begins. Memory content goes through a second validation covering instruction injection, encoded content, and terminology to block attempts to manipulate Max through stored context. Every endpoint enforces a rate limit of 20 rpm per IP address, with all events written to a security log.
Data in Transit
Data at Rest
Input Security
[Β© Copyright] dogAdvisor 2026
London, UK. Est. 24 Aug 2024