If you discover a security vulnerability in Codify, please report it responsibly:
- Email: roshansuthar1105@gmail.com
- GitHub Issues: Open a security issue
Please include:
- A detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation (if any)
| Version | Supported |
|---|---|
main |
β Yes |
| others | β No |
- Uses JWT-based authentication
- Role-based access control:
Admin,Learner - OAuth integration via Google Sign-In
.envfiles must not be committed- Avoid hardcoding secrets (e.g.,
JWT_SECRET,EMAIL_PASS) - Use environment variables for:
- MongoDB URI
- Email credentials
- Google OAuth keys
- API tokens (YouTube, RapidAPI, GitHub)
- π Rotate secrets periodically
- π§ͺ Validate user input to prevent injection attacks
- π‘οΈ Use HTTPS in production
- π« Restrict CORS in production (
CLIENT_CORS=*is unsafe) - π§ Use secure email transport (e.g., OAuth2 or App Passwords)
- Keep all dependencies up-to-date
- Run
npm auditregularly - Use ESLint and Prettier for code hygiene
- Never expose
.envfiles publicly - Use secure deployment platforms with access control
- Monitor logs for suspicious activity
Maintaining security is a shared responsibility. Letβs keep Codify safe for all learners! π