Skip to content

Security: lnflash/merchant-signup

Security

docs/SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it by emailing [email protected] or by creating a confidential issue. We take all security reports seriously and will respond promptly.

Security Measures

This application implements the following security measures:

Storage Security

  • All storage buckets for user uploads are private by default
  • Row Level Security (RLS) policies enforce proper access control
  • Files are stored with cryptographically secure random names
  • Storage access is restricted to authenticated users only
  • File uploads use cryptographically secure naming patterns
  • Storage buckets have restricted visibility settings

API Security

  • Error responses provide minimal information to clients (no leaking of internal details)
  • All user inputs are validated and sanitized
  • Detailed error information is only logged server-side, not exposed to clients
  • Reference IDs are generated for tracking issues without exposing sensitive data
  • CSRF protection implemented for all form submissions
  • Double submit cookie pattern to prevent CSRF attacks

Data Protection

  • Sensitive data is redacted in logs
  • User credentials are never stored in client-side code
  • Only necessary information is collected from users
  • Form submissions validate data both client-side and server-side
  • Database access restricted by Row Level Security policies
  • Records linked to user accounts with proper ownership checks

Authentication

  • Supabase authentication is used to secure access to sensitive operations
  • File uploads require valid authentication
  • Row-level security policies enforce proper data access
  • API endpoints require authentication
  • User data is only accessible to the user who created it

CSRF Protection

  • All forms include CSRF tokens
  • Form submissions require valid CSRF tokens
  • CSRF tokens are linked to user sessions
  • CSRF validation is implemented using the double submit cookie pattern
  • CSRF tokens expire after a limited time

Future Security Enhancements

  • Implement API rate limiting
  • Implement Content Security Policy (CSP) headers
  • Add two-factor authentication for admin accounts
  • Implement IP-based suspicious activity detection
  • Add audit logging for sensitive operations
  • Conduct regular security audits

There aren’t any published security advisories