Bcrypt password hashing
Adaptive cost factor, salted automatically, impossible to reverse. Verification is constant-time to prevent timing attacks.
Security & compliance
Security is not a feature.
Security is not a feature.
It's a foundation.
Inno Message was architected with enterprise security standards from day one. Every layer of the stack implements active defences against the OWASP Top 10 — from session management to database queries to API authentication.
CSRF token validation
Every mutating action requires a valid 32-byte session token, compared with hash_equals(). Mismatches are rejected with HTTP 419.
SQL injection prevention
All queries use PDO prepared statements with emulation disabled — true prepared mode, no raw user input in SQL.
XSS sanitisation
User output is escaped with htmlspecialchars (ENT_QUOTES|ENT_HTML5); JSON is escaped for safe embedding in JavaScript.
Session hardening
Secure, HttpOnly, SameSite=Lax cookies; the session ID is regenerated on every successful login to defeat fixation.
API credential isolation
Partners never see gateway credentials. Bearer tokens are the only access mechanism, validated on every request.
Webhook signature verification
Inbound Meta webhooks are verified with HMAC-SHA256 against the App Secret before any payload is processed.
Comprehensive audit trails
Payments, messages, settings changes and logins are all tracked with timestamps and user IDs across multiple audit layers.
Authentication architecture
- PHP-native session management with session_regenerate_id(true) on login
- Passwords stored with password_hash(PASSWORD_DEFAULT) (bcrypt)
- Constant-time verification with password_verify()
- Suspended accounts are force-logged-out on the next request
- Last-login timestamps recorded for audit visibility
API & webhook security
- Bearer tokens validated against active partner status on every call
- Balance & credit checked before any cost is incurred (HTTP 402 if insufficient)
- Outbound cURL with TLS peer/host verification and timeouts
- Meta HMAC-SHA256 signatures verified before processing
- Placeholder-credential detection avoids leaking errors externally
Defence in depth
Protection across every layer
Infrastructure security
Runs over Apache with mod_rewrite directory protection and HTTPS enforcement. Deployable to hardened shared, VPS or dedicated hosting.
Data protection
Sensitive credentials (API keys, tokens) are masked in the UI after entry. utf8mb4 InnoDB storage with indexed, parameterised access.
Encryption in transit
All external provider calls use TLS with certificate verification; the application enforces HTTPS-only secure cookies.
Access control
Role-based access with 18 granular permissions enforces least privilege; suspended users lose access immediately.
Backup & recovery
Standard MySQL backup tooling and a fallback file logger that captures webhook payloads even if the database is unavailable.
Resilience
Webhooks acknowledge with HTTP 200 before processing to prevent provider timeout retries; deduplication prevents double-processing.
Vulnerability management
An OWASP-aligned secure-by-design approach with a coordinated disclosure channel for researchers and customers.
Incident response
Multi-layer logging (audit, payments, webhooks, messaging) supports rapid investigation and a defined response process.
Compliance enablement
Technical controls — access control, permissions, audit trails and data-deletion — support GDPR-aligned operations.
Compliance posture
Inno Message provides the technical controls organisations need to operate compliantly. Certification status reflects current posture and is updated in the Trust Center.
OWASP Top 10 aligned
GDPR-ready controls
Data access & deletion
Audit logging
Encryption in transit
Responsible disclosure. If you believe you've found a security issue, please email
[email protected].
We acknowledge reports promptly and will work with you on a coordinated fix. Please do not publicly disclose until we've had a chance to remediate.