We take the security of StudentSathi seriously. If you discover a security vulnerability, please follow these steps:

DO NOT open a public issue for security vulnerabilities. Instead:

1. Email: Send details to [[email protected]]
2. Subject: Include "SECURITY" in the subject line
3. Details: Provide:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

When deploying StudentSathi:

• ✅ NEVER commit .env files
• ✅ Use strong, unique values for JWT_SECRET and ENCRYPTION_KEY
• ✅ Change default credentials in production
• ✅ Use environment-specific variables

• ✅ Use Supabase connection pooling
• ✅ Enable Row Level Security (RLS) in Supabase
• ✅ Use strong database passwords
• ✅ Restrict database access by IP if possible
• ✅ Regular backups

• ✅ Enable HTTPS in production
• ✅ Use HttpOnly cookies for tokens
• ✅ Implement rate limiting
• ✅ Use strong password policies
• ✅ Enable 2FA for admin accounts (if implemented)

• ✅ Validate all inputs
• ✅ Use CORS properly
• ✅ Implement rate limiting
• ✅ Keep dependencies updated
• ✅ Use Helmet.js for security headers

• ✅ Use HTTPS/TLS certificates
• ✅ Enable security headers
• ✅ Keep Node.js and dependencies updated
• ✅ Use environment variables for secrets
• ✅ Implement logging and monitoring

• JWT-based authentication with refresh tokens
• Password hashing with bcrypt
• HttpOnly cookies for token storage
• Role-based access control (RBAC)
• SQL injection prevention via Prisma
• XSS protection
• CORS configuration
• Rate limiting
• Input validation with Zod

• Two-factor authentication (2FA)
• Session management improvements
• Advanced audit logging
• IP whitelisting
• API key rotation
• Security headers enhancement

Before deploying to production:

• All .env files are in .gitignore
• Strong, unique JWT_SECRET set (min 32 characters)
• Strong, unique ENCRYPTION_KEY set (32 characters)
• Database credentials are secure
• HTTPS is enabled
• CORS is properly configured
• Rate limiting is enabled
• Security headers are set
• Dependencies are up to date
• Backup strategy is in place
• Monitoring is enabled
• Error messages don't leak sensitive info

1. Password Reset: Implement token expiration (currently set to 1 hour)
2. Rate Limiting: Adjust limits based on your use case
3. Session Management: Implement session revocation
4. File Uploads: Validate and sanitize if implementing file uploads
5. HTTPS: Required for production - sensitive data in transit

• OWASP Top 10
• Node.js Security Best Practices
• Supabase Security
• JWT Security Best Practices

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged (with permission) in our security advisories.

Last Updated: December 31, 2025