Skip to content

Security: ufukkaraca/switchbot-temporary-access

Security

SECURITY.md

Security Policy

Supported Versions

Currently supported versions with security updates:

Version Supported
2.0.x
1.0.x

Security Features

Implemented Security Measures

  • JWT Authentication - Token-based authentication with HTTP-only cookies
  • Password Hashing - bcrypt with salt rounds (10)
  • Rate Limiting - API and authentication endpoint rate limiting
  • Helmet.js - Security headers (CSP, XSS protection, etc.)
  • Input Validation - All user inputs validated
  • SQL Injection Prevention - Parameterized queries
  • HTTPS Enforcement - Secure cookies in production
  • CORS Protection - Configured CORS policies
  • Session Management - Secure token expiration

Rate Limiting

API Endpoints:

  • Window: 15 minutes
  • Max Requests: 100
  • Message: "Too many requests from this IP"

Authentication Endpoints:

  • Window: 15 minutes
  • Max Attempts: 5
  • Message: "Too many login attempts"

JWT Configuration

  • Algorithm: HS256
  • Expiration: 24 hours (configurable)
  • Storage: HTTP-only cookies
  • SameSite: Strict
  • Secure: true (in production)

Reporting a Vulnerability

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, report security issues by:

  1. Email: Create a private security advisory
  2. Expected response time: 48 hours
  3. We will acknowledge receipt within 48 hours
  4. We'll send a detailed response within 7 days

What to Include

When reporting a vulnerability, please include:

  • Type of vulnerability
  • Full paths of source files related to the vulnerability
  • Location of affected source code (tag/branch/commit)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue
  • How you discovered the issue

Disclosure Policy

  • We'll confirm the vulnerability and determine its impact
  • We'll release a fix as soon as possible
  • We'll publicly disclose the vulnerability after a fix is available
  • We'll credit you in the security advisory (unless you prefer anonymity)

Security Best Practices

For Deployment

  1. Environment Variables

    • Never commit .env files
    • Use strong, random JWT_SECRET (min 32 characters)
    • Rotate secrets regularly

  2. Database

    • Keep regular backups
    • Restrict file permissions (chmod 600)
    • Use encrypted volumes when possible

  3. Network

    • Always use HTTPS in production
    • Configure firewall rules
    • Use reverse proxy (Nginx/Cloudflare)

  4. Access Control

    • Use strong admin passwords (min 12 characters)
    • Regularly audit access links
    • Revoke unused links promptly
    • Monitor admin activity logs

  5. Monitoring

    • Enable application monitoring
    • Set up alerts for suspicious activity
    • Review logs regularly
    • Monitor failed login attempts

For Development

  1. Dependencies

    # Audit dependencies regularly
npm audit

# Fix vulnerabilities
npm audit fix

  2. Code Review

    • All PRs require review
    • Security-focused code review
    • Automated security scanning

  3. Testing

    • Test authentication flows
    • Verify rate limiting
    • Test input validation
    • Security penetration testing

Known Security Considerations

SQLite Limitations

  • SQLite file permissions are critical
  • No built-in user authentication
  • Recommend PostgreSQL for multi-tenant deployments

Access Token Management

  • Tokens are UUID v4 (cryptographically secure)
  • Should be treated as secrets
  • Not logged in application logs
  • Can be revoked instantly

Admin Session Security

  • JWT tokens expire after 24 hours (configurable)
  • HTTP-only cookies prevent XSS attacks
  • SameSite=Strict prevents CSRF
  • Logout clears all session data

SwitchBot API Security

  • API tokens stored in environment variables
  • HMAC signature used when secret provided
  • Rate limited by SwitchBot (10k requests/day)
  • Test commands logged in admin_logs

Vulnerability Response Timeline

Phase Timeline Actions
Report Day 0 Vulnerability reported
Acknowledgment Day 1-2 Confirm receipt and start investigation
Assessment Day 3-7 Evaluate severity and impact
Fix Development Day 8-14 Develop and test fix
Release Day 15-21 Deploy fix and notify users
Disclosure Day 22+ Public disclosure with details

Security Updates

How to Stay Updated

  1. Watch GitHub Repository

    • Click "Watch" → "Custom" → "Security alerts"

  2. Check Releases

  3. Update Regularly

    # Pull latest changes
git pull origin main

# Update dependencies
npm install

# Run migrations
npm run db:migrate

# Restart application
pm2 restart switchbot-access

Compliance

OWASP Top 10

Protection against OWASP Top 10 vulnerabilities:

  • ✅ A01: Broken Access Control
  • ✅ A02: Cryptographic Failures
  • ✅ A03: Injection
  • ✅ A04: Insecure Design
  • ✅ A05: Security Misconfiguration
  • ✅ A06: Vulnerable Components
  • ✅ A07: Authentication Failures
  • ✅ A08: Data Integrity Failures
  • ⚠️ A09: Security Logging Monitoring (basic implementation)
  • ✅ A10: SSRF

Data Protection

  • Passwords: Hashed with bcrypt (never stored in plain text)
  • JWTs: Stored in HTTP-only cookies
  • Access Tokens: UUID v4, treated as secrets
  • API Keys: Stored in environment variables
  • Database: File-based, can be encrypted at rest

Security Audit History

Date Version Auditor Findings Status
2026-01-15 v2.0.0 Internal Initial security review ✅ Complete

Contact

For security concerns:

  • 🔒 Security Advisories
  • 📧 GitHub Issues (for non-sensitive questions)
  • 🐛 Bug Bounty: Currently not available

Last Updated: January 15, 2026 Version: 2.0.0

There aren't any published security advisories