AxeCode Backend implements several custom security layers beyond basic Strapi permissions:

We use a strategy pattern to determine access to uploaded files. Strategies for different content types (like api::lesson.lesson) are registered at bootstrap.

• Lesson Strategy: Validates ownership chain (Lesson -> Week -> Course -> Enrollment/Owner).

Intercepts database calls to ensure that files attached to a user are only manageable by that user or a super-admin.

Authenticates users via HTTP-only cookies to mitigate XSS-based token theft.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please send an email to mohamedeleskanderwow@gmail.com.

Please include:

• A description of the vulnerability.
• Steps to reproduce the issue.
• Potential impact.

We will acknowledge your report within 48 hours.