Skip to content
This repository was archived by the owner on May 5, 2026. It is now read-only.

Security: OpenSIN-AI/A2A-SIN-Box-Storage

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x

Reporting a Vulnerability

Please report vulnerabilities to security@opensin.ai. Responses within 24 hours.

Security Best Practices

  1. Never commit .env - All secrets via environment variables
  2. Use HTTPS - All Box.com API calls use TLS 1.2+
  3. API Token Rotation - Rotate Box Developer Tokens quarterly
  4. Least Privilege - Box app scopes: files.content.read, files.content.write, folders.read
  5. Rate Limiting - Service enforces 100 requests/min per IP
  6. Input Validation - All uploads validated for file size (<2GB), MIME type, and extension

Known Security Considerations

  • Box.com API tokens stored in BOX_DEVELOPER_TOKEN - protect as secret
  • Public folder access is read-only for unauthenticated users
  • Upload endpoint requires X-Box-Storage-Key header for authentication
  • All file metadata (names, paths) sanitized to prevent injection attacks

There aren't any published security advisories