We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please email your findings to:
Or use GitHub's private vulnerability reporting feature:
- Navigate to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
- Within 24 hours: We'll acknowledge receipt of your report
- Within 72 hours: We'll provide an initial assessment
- Within 7 days: We'll share a timeline for a fix
- Once fixed: We'll publicly acknowledge your responsible disclosure (with your permission)
-
Keep dependencies updated
npm audit npm update
-
Use environment variables for secrets
- Never commit
.env.localfiles - Never hardcode API keys or passwords
- Use strong, unique passwords
- Never commit
-
Enable Supabase Row Level Security (RLS)
- Ensure all tables have RLS policies
- Test policies thoroughly
- Follow principle of least privilege
-
Secure your Supabase project
- Enable 2FA on your Supabase account
- Rotate API keys regularly
- Use service role key only server-side
- Monitor access logs
-
Configure CORS properly
- Only allow trusted origins
- Don't use
*in production - Update allowed origins as needed
-
Use HTTPS in production
- Never run production HTTP-only
- Enable HTTPS for all API calls
- Use secure cookies
-
Input Validation
// Always validate and sanitize user input function createIncident(data: unknown) { const validated = IncidentSchema.parse(data); // Use Zod or similar // ... rest of logic }
-
SQL Injection Prevention
// GOOD: Use parameterized queries const { data } = await supabase .from('incidents') .select('*') .eq('id', userId); // BAD: Never concatenate user input // await supabase.rpc('raw_sql', { query: `SELECT * FROM incidents WHERE id = ${userId}` })
-
XSS Prevention
- React escapes content by default
- Be careful with
dangerouslySetInnerHTML - Sanitize rich text content
- Use Content Security Policy (CSP)
-
Authentication & Authorization
// Always verify user authentication export async function GET(request: Request) { const supabase = createServerClient(); const { data: { user }, error } = await supabase.auth.getUser(); if (!user) { return new Response('Unauthorized', { status: 401 }); } // Check authorization for specific resources const canAccess = await checkPermissions(user.id, resourceId); if (!canAccess) { return new Response('Forbidden', { status: 403 }); } // ... rest of logic }
-
File Upload Security
- Validate file types
- Limit file sizes
- Scan for malware
- Store files outside webroot
- Use signed URLs for access
-
Rate Limiting
// Implement rate limiting for sensitive endpoints import rateLimit from 'express-rate-limit'; const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // limit each IP to 100 requests per windowMs });
-
Logging & Monitoring
- Log authentication attempts
- Monitor for suspicious activity
- Don't log sensitive data (passwords, tokens)
- Set up alerts for anomalies
-
Dependency Security
- Run
npm auditregularly - Keep dependencies updated
- Use
npm audit fixfor automated fixes - Review security advisories
- Run
-
API Token Security
- Generate cryptographically random tokens
- Hash tokens before storing
- Implement token expiration
- Allow token revocation
- Use scoped permissions
-
Development
- Use separate Supabase projects for dev/prod
- Never use production credentials locally
- Use dummy data for testing
- Keep test databases isolated
-
Production
- Use environment variables
- Enable all security headers
- Set up monitoring and alerting
- Regular security audits
- Implement backup procedures
Ensure RLS is enabled on all tables:
ALTER TABLE incidents ENABLE ROW LEVEL SECURITY;
CREATE POLICY "Users can view their organization's incidents"
ON incidents FOR SELECT
USING (organization_id = (SELECT organization_id FROM profiles WHERE id = auth.uid()));- Authenticate WebSocket connections
- Validate all incoming messages
- Implement rate limiting
- Use secure WebSocket (wss://) in production
- Validate file types on upload
- Implement size limits (currently 2MB)
- Scan uploaded files for malware
- Use signed URLs with expiration
- Implement access controls
Recommended security headers for production:
// next.config.js
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: [
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload'
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-XSS-Protection',
value: '1; mode=block'
},
{
key: 'Referrer-Policy',
value: 'origin-when-cross-origin'
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()'
}
]
}
];
}
};This project aims to follow:
- OWASP Top 10 guidelines
- CWE/SANS Top 25 Most Dangerous Software Errors
- GDPR requirements for data protection
Before deploying to production:
- All environment variables are set
- HTTPS is enabled
- RLS policies are configured on all tables
- API keys are not hardcoded
- CORS is configured properly
- Security headers are set
- File upload validation is implemented
- Rate limiting is in place
- Authentication is required for all protected routes
- Input validation is implemented
- Dependencies are up to date
-
npm auditshows no vulnerabilities - Monitoring and logging are set up
- Backup procedures are in place
If you have questions about security, please email [email protected]
Thank you for helping keep ANTOPS secure!