Currently supported versions of Zone01 Admin Dashboard:
| Version | Supported | Status |
|---|---|---|
| 2.x.x | ✅ Yes | Current (Stack Auth) |
| 1.x.x | Legacy (NextAuth v5) | |
| < 1.0 | ❌ No | Deprecated |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should not be disclosed publicly until they have been addressed.
Send a detailed report to: maximedubs@proton.me
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2-4 weeks
- Low: Next release cycle
- We will acknowledge your report within 48 hours
- We will provide regular updates on the fix progress
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We will coordinate with you on the public disclosure timeline
When deploying and maintaining this application:
⚠️ NEVER commit.envfiles to version control- ✅ Use environment-specific variables (dev, staging, prod)
- ✅ Rotate secrets regularly (every 90 days recommended)
- ✅ Use strong, randomly generated secrets (32+ characters)
- ✅ Limit access to production environment variables
- ✅ Stack Auth handles OAuth securely
- ✅ Sessions are stored in HTTP-only cookies
- ✅ JWT tokens are validated on every request
⚠️ Regularly review user roles and permissions⚠️ Implement rate limiting on authentication endpoints
- ✅ Use SSL/TLS connections (enforced by Neon)
- ✅ Apply principle of least privilege for DB users
- ✅ Regular backups (automated by Neon)
⚠️ Sanitize all user inputs⚠️ Use parameterized queries (enforced by Drizzle ORM)
- ✅ CORS configured appropriately
- ✅ Rate limiting on sensitive endpoints
- ✅ Input validation with Zod schemas
- ✅ CSRF protection (Next.js built-in)
⚠️ Monitor API usage and anomalies
- ✅ Regularly update dependencies:
pnpm update - ✅ Monitor security advisories: GitHub Dependabot
- ✅ Review CVEs before updating
⚠️ Audit dependencies:pnpm audit
-
Stack Auth Integration
- OAuth tokens managed by Stack Auth
- Server-side session validation
- Automatic token refresh
-
Database Access
- Connection pooling via Neon
- SSL enforced
- No direct DB exposure
-
API Routes
- Protected by authentication middleware
- Rate limiting via Vercel
- Input validation
-
Cron Job Security
- Protected by
CRON_SECRETheader - Consider IP whitelisting for production
- Protected by
-
Zone01 API Token
- Stored as environment variable
- Rotate if compromised
- Monitor usage
If you believe you've found evidence of a security breach:
-
Immediate Actions
- Change all passwords and secrets
- Revoke compromised API tokens
- Review access logs
- Notify affected users
-
Contact
- Email: maximedubs@proton.me
- Include: Timeline, affected systems, potential impact
-
Post-Incident
- Document the incident
- Update security measures
- Conduct a security review
We appreciate responsible disclosure. Contributors who report valid security issues will be credited here:
No vulnerabilities reported yet. Be the first!
This security policy may be updated. Check the git history for changes:
git log -- SECURITY.mdLast updated: 2025-01-19
🔒 Security is everyone's responsibility
Report issues responsibly • Keep secrets secret • Stay updated