MotionSteer · Security

Posture · score 92/100

strong

✓

Strong password · last changed 18 days ago

14 chars · passes zxcvbn check · not seen in any known breach.

✓

Two-factor authentication via TOTP

1Password authenticator · 6 backup codes generated · last verified 14:02 today.

✓

Magic-link sign-in disabled for admin role

Admin accounts require TOTP. Email-only login disabled to prevent inbox-takeover escalation.

enforced

3 personal API tokens have full scope

Consider rotating to minimum-needed scopes (publish-only / read-only) and shorter expiry.

Review tokens

✓

Email me on new device login

Delivered to alex@studio.com. Last new-device alert: 4 days ago, Frankfurt.

✓

All sessions are HTTPS + HSTS + CT-logged

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload — verified.

infra

Content Security Policy

visible · so you know

default-src

'self'

script-src

'self' 'unsafe-inline' (page-level inline scripts; CSP-nonce planned for v0.5)

style-src

'self' 'unsafe-inline' fonts.googleapis.com

font-src

fonts.gstatic.com

img-src

'self' data: blob: *.motionsteer.studio cdn.suno.com cdn.runwayml.com cdn.lumalabs.ai klingcdn.com

media-src

'self' blob: cdn.suno.com *.motionsteer.studio

connect-src

'self' api.motionsteer.studio api.runwayml.com api.klingai.com api.lumalabs.ai api.openai.com api.anthropic.com api.stripe.com api.elevenlabs.io

frame-ancestors

'none' · no clickjacking — page cannot be iframed

form-action

'self' · forms can't submit to third parties

Recent account activity · 30 days

export →

14:02 today

●

Sign-in · 2FA verified · MacBook Pro · Safari 26

95.217.41.7 · Berlin, DE

current session

May 24 · 18:42

API token created · "CI publish bot" · scope publish · clips:read

sk_live_•••••3a4f · expires Sep 14

95.217.41.7

May 22 · 13:18

↻

Provider key rotated · Runway API

old key revoked · new key valid since May 22

95.217.41.7

May 18 · 22:08

New device sign-in · Linux box · Chrome 132

95.217.41.218 · Frankfurt, DE · email alert sent

approved

May 12 · 09:24

✓

Password changed

old credentials invalidated · 3 sessions revoked

95.217.41.7

May 04 · 14:42

Failed login × 4 · throttled after 4 attempts · CAPTCHA shown

203.0.113.18 (TOR exit) · email warning sent

blocked

Apr 28 · 16:12

↻

Backup codes regenerated · 6 codes · old set invalidated

requires 2FA to view

95.217.41.7

Score breakdown

92/100

strong · top 8% of accounts

2FA enabled+30

Strong password+20

New-device alerts on+10

Provider keys not stored on device+20

Recent password rotation+12

Tokens with full scope−8

Compliance

✓ SOC 2 Type II · Q1 2026

✓ GDPR · DPA available on request

✓ Encrypted at rest · AES-256

✓ Encrypted in transit · TLS 1.3

✓ Daily off-site backups

✓ Penetration test · Mar 2026

Found a vulnerability?

We pay for working PoCs. Email security@motionsteer.studio, encrypt with our PGP key. We respond within 24h.

Locks & auditability

Posture · score 92/100

Content Security Policy

Recent account activity · 30 days