
Security Center
How WorkHorse Enterprise protects accounts, payments, escrow activity, messages, uploaded files, and marketplace transactions.
Account Protection
Secure sessions, password hashing, CSRF checks, approval workflows, captcha controls, and role-based access control.
Payment Safety
Wallet funding, escrow records, provider references, webhook logging, and transaction status tracking.
Escrow Protection
Employer funds can be held securely while project milestones, delivery records, and dispute evidence are reviewed.
1. Secure Authentication
WorkHorse Enterprise supports secure login flows using password hashing, session controls, captcha protection, approval status checks, and logout handling. User accounts should not become active until the configured approval or email verification process has completed.
2. Role-Based Access Control
The platform separates access by role, including administrator, employer, freelancer, and other privileged users. Administrative areas, escrow management, payment controls, dashboards, and sensitive account functions should be protected using server-side authorization checks.
3. CSRF Protection
Forms that modify data should include CSRF tokens. These tokens help prevent unauthorized form submissions from external sites and protect actions such as deposits, withdrawals, refunds, notifications, profile updates, and admin approvals.
4. XSS Protection
User-generated content should be escaped before output using safe HTML encoding. This includes names, job posts, messages, reviews, notification text, profile content, and uploaded file metadata.
5. SQL Injection Protection
All database access should use prepared statements with bound parameters. Never concatenate raw user input directly into SQL queries for login, search, filters, pagination, payments, messages, or admin actions.
6. Password and Session Security
- Use PHP password_hash() and password_verify() for credentials.
- Regenerate session IDs after login and privilege changes.
- Set secure, HTTP-only, same-site cookies in production.
- Expire inactive sessions after a reasonable period.
- Do not store plaintext passwords.
7. File Upload Security
Uploaded resumes, avatars, work samples, and attachments should be validated for file type, size, and storage location. Files should be renamed safely, stored outside executable paths when possible, and scanned where your hosting environment supports scanning.
9. Notifications and Messaging
Messages and notifications should be limited to authenticated users and filtered by the logged-in user’s account ID. Users should not be able to view messages, alerts, invoices, payments, or files belonging to another account.
10. Audit Logs
Important events should be logged, including login attempts, failed authentication, payment status changes, webhook callbacks, escrow actions, refund approvals, admin actions, and profile updates.
11. Rate Limiting
Login, registration, password reset, payment initiation, message sending, and captcha refresh actions should be rate-limited to reduce abuse, spam, credential stuffing, and automated attacks.
12. Reporting Security Issues
If you discover a security issue, please contact us at security@workhorse.com. Include the affected page, steps to reproduce, screenshots if safe, and your contact information.