MatchmakingPK is built with security-first principles. This page explains every technical and operational measure we use to protect your personal information.
All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). We enforce HTTPS on every page — unencrypted HTTP connections are automatically redirected.
HSTS (HTTP Strict Transport Security)
Browsers are instructed to only connect to MatchmakingPK over HTTPS for a minimum of one year, preventing downgrade attacks.
TLS 1.2 / 1.3 Encryption
All API calls, profile data, messages, and file uploads are encrypted in transit using modern TLS protocols.
Secure CDN for media files
Profile photos and payment screenshots are served via a secure CDN with HTTPS-only access. Direct file enumeration is prevented with randomised storage keys.
Our Content Security Policy prevents cross-site scripting (XSS) attacks by restricting which scripts, styles, images, and connections are permitted on every page.
Script source restriction
Only scripts from our own domain and trusted CDNs (Google Fonts) are permitted. Inline scripts are blocked.
Frame protection (X-Frame-Options)
The site cannot be embedded in an iframe on another domain, preventing clickjacking attacks.
MIME type enforcement (X-Content-Type-Options)
Browsers are instructed not to guess content types, preventing MIME-sniffing attacks.
Referrer Policy
Only the origin (not the full URL) is sent in referrer headers, protecting sensitive URL parameters from leaking to third parties.
Permissions Policy
Access to device features (camera, microphone, geolocation) is restricted. Camera access is only permitted on the profile photo upload page.
MatchmakingPK uses Manus OAuth — a secure, battle-tested authentication system — so we never store your password. Sessions are managed with signed, encrypted cookies.
OAuth 2.0 via Manus Identity
Login is handled by the Manus OAuth portal, which supports email verification, Google, Apple, and GitHub sign-in. We never see or store your password.
HttpOnly session cookies
Session tokens are stored in HttpOnly cookies, meaning they cannot be accessed by JavaScript — protecting against XSS-based session theft.
Secure cookie flag
Session cookies are only transmitted over HTTPS connections. They are never sent over unencrypted HTTP.
SameSite cookie policy
Cookies use SameSite=None (with Secure) to support the OAuth redirect flow, preventing cross-site request forgery (CSRF) in standard browser contexts.
JWT-signed sessions
Session data is signed with a server-side secret (JWT_SECRET). Tampered or forged session tokens are automatically rejected.
We follow a strict need-to-know principle. Sensitive profile data is only revealed after explicit consent (an accepted proposal).
Mobile number privacy
Your mobile number is stored privately and only shared in the proposal acceptance email and Messages page when a proposal is accepted by both parties.
Wali/Guardian details privacy
Guardian contact information is never shown publicly. It is only revealed on the Profile View page to users who have an accepted proposal with that profile.
Payment screenshot privacy
JazzCash payment screenshots are stored securely on S3 with randomised keys and are only visible to platform administrators.
Role-based access control
Admin-only operations (approving profiles, verifying payments, banning users) are protected by server-side role checks. Regular users cannot access admin procedures.
Cross-Origin Resource Policy (CORP)
Resources are restricted to same-site requests, preventing cross-origin data leakage.
Cross-Origin Opener Policy (COOP)
Set to same-origin-allow-popups to support the OAuth login popup while isolating our browsing context from other origins.
Input validation with Zod
All API inputs are validated server-side using strict Zod schemas. Malformed or unexpected data is rejected before reaching the database.
Parameterised SQL queries (Drizzle ORM)
All database queries use parameterised statements via Drizzle ORM, preventing SQL injection attacks.
Rate limiting on sensitive endpoints
Authentication and OTP endpoints are rate-limited to prevent brute-force attacks.
To benefit from all security features, we recommend using an up-to-date version of one of the following browsers. Some features (such as secure cookies) are not supported in Safari Private Browsing or browsers with aggressive third-party cookie blocking.
Not supported: Internet Explorer, Safari Private Browsing, Firefox Strict Enhanced Tracking Protection, and Brave with Aggressive Shields. These browsers block the secure cookies required for login.
Admin profile approval
Every new profile is reviewed by our admin team before it appears in search results. Profiles that violate our community guidelines are rejected or removed.
Family Verified badge
Profiles marked as 'Family Approved' indicate that the user's wali/guardian has reviewed and approved the profile, providing an additional trust signal for other families.
Report & block system
Users can report suspicious profiles or block unwanted contact at any time. Reports are reviewed by our admin team within 24 hours.
Payment verification
Premium package activations require manual admin review of the JazzCash payment screenshot before access is granted.
If you discover a security vulnerability or have concerns about how your data is handled, please contact us immediately. We take all security reports seriously and aim to respond within 48 hours.
Security Contact
Email: [email protected]
Please include a description of the issue, steps to reproduce, and any relevant screenshots or logs.