We release security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue in Sunrise, please report it responsibly.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Instead, report security issues privately:
- GitHub Security Advisories (preferred):
- Go to the Security tab
- Click "Report a vulnerability"
- Provide detailed information about the vulnerability
Please provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Your contact information for follow-up
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Varies by severity (critical issues prioritized)
When deploying Sunrise in production:
-
Environment Variables:
- Never commit
.env.localor.env.productionto version control - Use strong, randomly-generated secrets for
BETTER_AUTH_SECRET - Rotate secrets regularly
- Never commit
-
Database:
- Use strong database passwords
- Restrict database access to application servers only
- Enable SSL/TLS for database connections in production
-
Dependencies:
- Run
npm auditregularly - Keep dependencies up to date
- Monitor for security advisories
- Run
-
Rate Limiting:
- Configure appropriate rate limits for your use case (see
lib/security/rate-limit.ts) - Use Redis for distributed rate limiting in production
- Configure appropriate rate limits for your use case (see
-
Headers & CORS:
- Review security headers in
middleware.ts - Configure CORS appropriately for your domain
- Review security headers in
-
Monitoring:
- Enable error tracking (Sentry is pre-configured)
- Monitor authentication logs for suspicious activity
- Set up alerts for unusual patterns
Sunrise includes these security features out of the box:
- Rate limiting on authentication endpoints
- CSRF protection via better-auth
- Secure password hashing (bcrypt via better-auth)
- Input validation with Zod
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- SQL injection protection via Prisma
- XSS protection via React and input sanitization
We appreciate security researchers who responsibly disclose vulnerabilities. With your permission, we'll acknowledge your contribution in our release notes.