This project uses environment variables to store sensitive configuration data. Never commit actual credentials to the repository.
- β
.env.example- Template with placeholder values (safe to commit) - β
.env.local.example- Template for local development (safe to commit) - β
.env.local- Contains real credentials (never commit) - β
.env- May contain real credentials (never commit)
-
Copy the example file:
cd idea-vault cp .env.local.example .env.local -
Add your own Supabase credentials to
.env.local -
Never commit files containing real API keys or database URLs
- All environment files with real credentials are in
.gitignore - Use GitHub Secrets for CI/CD deployment
- Rotate keys if accidentally exposed
If you discover a security vulnerability, please:
- DO NOT open a public issue
- Email the maintainers directly
- Include detailed information about the vulnerability
- Allow time for the issue to be addressed before public disclosure
- Keep dependencies updated
- Use Row Level Security (RLS) in Supabase
- Validate all user inputs
- Use HTTPS in production
- Implement proper authentication checks
- Follow the principle of least privilege
- Environment variables are set in deployment platform
- Database RLS policies are enabled
- API keys have appropriate permissions
- CORS is properly configured
- Rate limiting is implemented
- Input validation is in place