Security is foundational for a game platform. Here's what we shipped:
- Sandboxed iframes — every game runs with
sandbox="allow-scripts allow-popups"restrictions - Origin isolation — games are served from a separate origin, preventing cookie/storage access to your account
- CSP headers — strict Content Security Policy prevents unauthorized script injection
- No top-navigation — games cannot redirect the parent page
- Referrer policy —
no-referrerprevents data leakage to game servers