Do not open a public GitHub issue for security vulnerabilities.

Instead, please report security issues by emailing security@nyuchi.com with:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if any)

We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days. We will work with you to understand the issue and coordinate a fix before any public disclosure.

nhimbe implements the following security controls:

• JWT validation via WorkOS JWKS (issuer + audience + signature + expiry checks; no API secrets stored in client)
• Timing-safe API key comparison to prevent timing attacks
• Suspended user enforcement (403 on all authenticated routes)
• writeAuth middleware for all mutating operations (origin check + API key)
• Role-based access control (user, moderator, admin, super_admin)

• AI safety middleware with prompt injection detection on all AI routes
• Input length enforcement and content sanitization
• All database access via PostgREST (supabaseFetch()) with typed query params — no raw SQL string concatenation in the worker
• File upload validation (type whitelist, 10MB size limit)

• HTTPS enforced via HSTS (max-age=63072000, includeSubDomains, preload)
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY (clickjacking protection)
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: camera=(), microphone=(), geolocation=()
• CORS restricted to trusted domains (nyuchi.com, mukoko.com, nhimbe.com)

• Soft deletes with PII anonymization on account deletion
• Audit logging for all destructive operations
• No error details leaked in production responses (generic error + request ID)
• Environment validation on startup (missing bindings logged as errors)

• Paynow webhook signature verification (HMAC-SHA512, timing-safe comparison)
• Payment secrets stored via Cloudflare wrangler secret put (not in code or config)

• Rate limiting on all API endpoints (100 req/min)
• Circuit breaker pattern for external service calls (Vectorize, Workers AI, R2, Supabase REST — opens after 5 transient failures, 30s cooldown, surfaces as HTTP 503)
• Request timeout handling
• Capacity-gate logic prevents over-registration; counter columns are flagged for migration to Postgres functions when concurrency demands stricter atomicity

• Dependencies are audited regularly with npm audit
• Security patches are applied promptly
• Worker dependencies: 0 known vulnerabilities
• Frontend dependencies: monitored via Dependabot

The following are in scope for security reports:

• Authentication and authorization bypasses
• Injection vulnerabilities (SQL, XSS, prompt injection)
• Data exposure or leakage
• CORS misconfigurations
• Payment processing vulnerabilities
• Rate limiting bypasses

Out of scope:

• Denial of service (handled by Cloudflare)
• Social engineering
• Issues in third-party services (WorkOS, Supabase, Cloudflare, Vercel)