| Version | Supported |
|---|---|
| 1.0.x | ✅ |
- JWT-based authentication with secure token generation
- Rate limiting on API endpoints (100 requests/15min)
- Enhanced rate limiting for trading endpoints (10 requests/min)
- Token expiration (24 hours)
- Comprehensive input validation using Zod schemas
- XSS protection through input sanitization
- SQL injection prevention through parameterized queries
- File upload restrictions and validation
- Content Security Policy (CSP)
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Strict Transport Security (HSTS) in production
- Referrer Policy: strict-origin-when-cross-origin
- Whitelist-based origin validation
- Secure credential handling
- Preflight request support
- Required environment variables validation
- No hardcoded secrets in codebase
- Separate development/production configurations
- Structured logging with different levels
- Error tracking and monitoring
- Request/response logging for audit trails
CRITICAL: Never commit sensitive data to version control!
-
Use
.envfiles for local development:# Copy the example file cp .env.example .env # Edit .env with your actual values nano .env
-
Required environment variables:
# Database Configuration DATABASE_URL=postgresql://user:password@localhost:5432/aitradepro # Security Keys (minimum 32 characters) JWT_SECRET=your-super-secure-jwt-secret-key-change-this-in-production SESSION_SECRET=your-session-secret-key-change-this-too # Application Configuration NODE_ENV=production PORT=5000 LOG_LEVEL=INFO
-
Best practices for secrets:
- Use strong, randomly generated secrets (minimum 32 characters)
- Use different secrets for development and production
- Rotate secrets periodically (every 90 days recommended)
- Never share secrets via email, chat, or documentation
- Use a secure password manager for team secret sharing
- ✅ DO: Keep
.envin.gitignore(already configured) - ✅ DO: Use
.env.exampleas a template with dummy values - ✅ DO: Document all required variables in README.md
- ✅ DO: Use environment-specific files (
.env.production,.env.development) - ❌ DON'T: Commit
.envfiles to version control - ❌ DON'T: Include real secrets in code comments or documentation
- ❌ DON'T: Log sensitive environment variables
- ❌ DON'T: Expose environment variables in error messages
For production environments, use secure secret management:
- Cloud Providers: Use AWS Secrets Manager, Azure Key Vault, or Google Secret Manager
- Container Orchestration: Use Kubernetes Secrets or Docker Secrets
- CI/CD Platforms: Use GitHub Secrets, GitLab CI/CD Variables, etc.
- Environment Variables: Set directly in hosting platform (Heroku, Vercel, etc.)
We use multiple tools to ensure dependency security:
- npm audit: Built-in vulnerability scanner
- audit-ci: CI-friendly audit tool with configurable thresholds
- GitHub Dependabot: Automated dependency updates and security alerts
# Run basic npm audit
npm audit
# Run audit with production dependencies only
npm audit --production
# Run audit with CI configuration
npm run audit
# Attempt automatic fixes
npm audit fix
# Force fixes (may include breaking changes)
npm audit fix --forceOur audit-ci.json configuration:
{
"moderate": true,
"high": true,
"critical": true,
"allowlist": []
}This configuration:
- Fails on moderate, high, and critical vulnerabilities
- Allows you to allowlist specific advisories (use sparingly)
- Runs automatically in CI/CD pipeline
When vulnerabilities are detected:
-
Assess Severity:
- Critical: Drop everything and fix immediately
- High: Fix within 24-48 hours
- Moderate: Fix within 1 week
- Low: Fix when convenient or with next dependency update
-
Understand the Vulnerability:
# Get detailed information npm audit # Check specific package npm audit --json | jq '.vulnerabilities.PACKAGE_NAME'
-
Fix Process:
Option A - Automatic Fix:
npm audit fix
Option B - Manual Update:
# Update specific package npm update package-name # Update to specific version npm install package-name@version
Option C - Alternative Package:
- Research alternative packages
- Evaluate security, maintenance, and features
- Replace the vulnerable dependency
-
Testing After Fixes:
# Run all tests npm run test:run # Run linting npm run lint # Build the project npm run build # Test in development npm run dev
-
Document Exceptions:
If a vulnerability cannot be fixed immediately:
- Document the reason in your PR or issue
- Add to allowlist in
audit-ci.jsonwith justification - Create a follow-up issue to track
- Set a reminder to revisit
Example allowlist entry:
{ "allowlist": [ "GHSA-xxxx-xxxx-xxxx" // Waiting for upstream fix, low impact ] }
Our CI pipeline automatically:
- Runs
npm auditduring lint_typecheck job - Fails the build on moderate+ vulnerabilities
- Reports security issues in PR checks
- Blocks merge if security checks fail
Handling CI Security Failures:
# Reproduce locally
npm run audit
# Fix vulnerabilities
npm audit fix
# Verify fix
npm run audit
# Commit and push
git add package*.json
git commit -m "fix: resolve security vulnerabilities"
git pushDependabot automatically:
- Scans dependencies daily
- Creates PRs for security updates
- Creates PRs for version updates (if configured)
- Provides detailed security advisories
Responding to Dependabot PRs:
- Review the PR description and changelog
- Check for breaking changes
- Test locally if needed
- Approve and merge if safe
- Close and document if not applicable
-
Before Adding Dependencies:
# Check package health npm view package-name # Check for known vulnerabilities npm install package-name npm audit
-
Regular Maintenance:
- Run
npm auditweekly - Review Dependabot PRs within 48 hours
- Update dependencies monthly
- Monitor security advisories
- Run
-
Development Practices:
- Minimize dependencies
- Prefer well-maintained packages
- Check package licenses
- Review package source code for critical dependencies
graph TD
A[Dependency Change] --> B[Local npm audit]
B --> C{Vulnerabilities?}
C -->|Yes| D[Attempt npm audit fix]
C -->|No| H[Commit Changes]
D --> E{Fixed?}
E -->|Yes| F[Test Thoroughly]
E -->|No| G[Manual Update/Replace]
G --> F
F --> H
H --> I[Push to GitHub]
I --> J[CI Security Check]
J --> K{Passed?}
K -->|Yes| L[Merge Approved]
K -->|No| M[Fix and Retry]
M --> B
Before submitting a PR:
- No sensitive data (API keys, passwords, tokens) in code
- Environment variables used for all secrets
-
.envfile not committed -
npm auditpasses with no critical/high vulnerabilities - New dependencies scanned for vulnerabilities
- Security-related changes reviewed for best practices
- No credentials in logs or error messages
- Input validation implemented for new endpoints
- SQL queries use parameterized statements
- XSS prevention in place for user input
If you discover a security vulnerability, please follow these steps:
- Do not create a public GitHub issue for the vulnerability
- Email security details to: [security@yourcompany.com] (replace with actual email)
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Set strong, unique JWT_SECRET in production
- Use secure database credentials
- Configure proper LOG_LEVEL for production
- Set secure SESSION_SECRET
- Use connection pooling with proper limits
- Enable database-level encryption
- Regular backups with encryption
- Principle of least privilege for database users
- Use HTTPS in production
- Configure proper firewall rules
- Use secure WebSocket connections (WSS)
- Consider using a reverse proxy (nginx, etc.)
- Set up log aggregation and monitoring
- Configure alerts for suspicious activities
- Regular security audits and dependency updates
- Monitor for failed authentication attempts
- Keep dependencies updated
- Regular security audits using
npm audit - Code reviews for security issues
- Automated security testing in CI/CD