Authentication
Firebase identity is synced with server-side session cookies and Convex role checks for protected dashboards and admin surfaces.
Security Center
How CollegeCBT Protects Students
CollegeCBT is designed for guarded AI exam practice, verified payments, controlled access, and auditable learning records.
Exam Integrity
Questions, responses, timers, scores, and certificates are tied to session ownership with signed-out local fallback for practice continuity.
Payment Verification
Gateway callbacks are validated with provider signatures or verification hashes before subscription activation, with idempotent ledgers.
Data Protection
Private routes are excluded from service-worker caching, sensitive pages use no-store headers, and secrets are read from runtime environments.
Report a Security Issue
Send responsible disclosure reports to [email protected]. Include affected routes, steps to reproduce, impact, and screenshots or logs where safe.