| Version | Supported |
|---|---|
| 0.x.x | ✅ |
Do not open public issues for security vulnerabilities.
Email security reports to: security@awews.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response time:
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
-
Never commit secrets
- Use
.env.localfor credentials - Check commits before pushing:
git diff --cached
- Use
-
Input validation
- Use Zod schemas for user input
- Sanitize before database operations
-
Database security
- Always enable Row Level Security (RLS)
- Test policies in incognito mode
- Use prepared statements (Supabase handles this)
-
Authentication
- Never store passwords in plaintext
- Use Supabase Auth for session management
- Implement CSRF protection for mutations
-
Strong passwords
- Minimum 12 characters
- Mix of letters, numbers, symbols
-
Keep updated
- Update to latest version when released
- Review changelogs for security fixes
-
Data privacy
- All data encrypted in transit (TLS 1.3)
- Database encrypted at rest (AES-256)
- No data sold or shared with third parties
We follow coordinated disclosure:
- Report received
- Vulnerability confirmed
- Fix developed and tested
- Security advisory published
- Credit given to reporter (if desired)
- Offline sync queue: Operations stored in IndexedDB are unencrypted. Don't store sensitive data in offline queue.
- Browser storage: Session tokens in httpOnly cookies (not accessible to JavaScript)
- API keys: Supabase anon key is public-safe (RLS enforces access control)
- ✅ TLS 1.3 encryption in transit
- ✅ AES-256 encryption at rest (Supabase)
- ✅ Row Level Security (RLS) policies
- ✅ CSRF protection via Supabase
- ✅ Security headers (CSP, HSTS, X-Frame-Options)
- ✅ Input validation (Zod + Supabase types)
- ✅ httpOnly session cookies
- ✅ Rate limiting (Supabase managed)
Subscribe to security advisories:
- GitHub Security Advisories: Watch this repo
- Release notes: Check for
[SECURITY]tags