Version: 1.0.0 | Updated: 2025-12-16
| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
Do NOT open a public GitHub issue for security vulnerabilities.
Email: security@scs-technik.de
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 7 days |
| Fix for critical issues | 14 days |
| Fix for non-critical | 30 days |
- We acknowledge receipt within 48 hours
- We investigate and assess severity
- We develop and test a fix
- We release the fix and credit you (if desired)
- JWT-based authentication (access + refresh tokens)
- bcrypt password hashing (cost factor 12)
- Rate limiting on auth endpoints
- Session invalidation on logout
- Role-based access control (root, admin, employee)
- Row Level Security (RLS) for tenant isolation
- Endpoint-level permission checks
- All data encrypted in transit (HTTPS)
- PostgreSQL with RLS policies
- Tenant isolation at database level
- Sensitive data never logged
- Zod schema validation on all inputs
- Parameterized queries ($1, $2, $3) - no SQL injection
- Content-Type enforcement
- Request size limits
- Helmet.js security headers
- Strict CORS policy
- CSRF protection
- XSS prevention
Each tenant's data is isolated via:
tenant_idcolumn on all tenant-specific tables- PostgreSQL RLS policies
- Application-level checks
Critical: Never bypass RLS or expose cross-tenant data.
- UUIDv7 filenames (no user input in paths)
- File type validation
- Size limits enforced
- Stored outside web root
- All endpoints require authentication (except /health, /login)
- Rate limiting per IP and per user
- Request logging for audit trail
# Check for vulnerabilities
pnpm audit
# Update dependencies
pnpm updateWe monitor dependencies via GitHub Dependabot.
Before submitting code:
- No hardcoded secrets or credentials
- SQL uses parameterized queries ($1, $2, $3)
- User input validated with Zod
- Tenant isolation maintained
- No sensitive data in logs
- File paths sanitized
- Error messages don't leak internals
- CODE-OF-CONDUCT.md - Development standards
- TYPESCRIPT-STANDARDS.md - Code standards
- DATABASE-MIGRATION-GUIDE.md - RLS documentation
Security is everyone's responsibility.