If you discover a security vulnerability in this project, please report it by emailing the maintainers. Do not create a public GitHub issue.
- All user-generated content is sanitized before rendering
innerHTMLusage has been replaced with safer alternatives usingtextContentand DOM APIs- Emoji inputs are validated to prevent malicious code injection
- URL validation prevents
javascript:anddata:URI attacks
src/lib/auth.ts) uses localStorage and plain text passwords. This is NOT PRODUCTION-READY.
For production, you MUST:
- Implement server-side authentication with proper password hashing (bcrypt, Argon2)
- Use HTTP-only cookies for session management
- Implement proper CSRF protection
- Add rate limiting for login attempts
- Use Firebase Authentication instead of custom localStorage auth
VITE_ prefix are bundled into client-side code and exposed in the browser.
Current Exposure:
- Azure OpenAI API key is visible in production build
- Anyone can extract and use your API key
Required Actions Before Going Live:
- Move API calls to a backend server - Never call Azure OpenAI from the client
- Create a serverless function (Vercel, Netlify, AWS Lambda) to proxy API calls
- Remove VITE_ prefix from sensitive keys
- Use environment-specific keys (separate dev/prod keys)
- Implement rate limiting on your backend
Example Serverless Function (Vercel):
// api/analyze-image.ts
import { AzureOpenAIService } from '../src/services/azure-openai';
export default async function handler(req, res) {
// Validate authentication
if (!req.headers.authorization) {
return res.status(401).json({ error: 'Unauthorized' });
}
// Rate limiting logic here
// Call Azure OpenAI with server-side key
const result = await AzureOpenAIService.analyzeImage(req.body.image);
res.json(result);
}Required Firestore Security Rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Only authenticated users can read/write
match /Artifacts/{artifactId} {
allow read: if request.auth != null;
allow create: if request.auth != null;
allow update, delete: if request.auth != null &&
request.auth.uid == resource.data.createdBy;
}
match /Articles/{articleId} {
allow read: if true; // Public read
allow write: if request.auth != null; // Authenticated write
}
// Add rules for other collections
match /{document=**} {
allow read, write: if false; // Deny by default
}
}
}All user inputs should be validated:
- Client-side validation for UX
- Server-side validation is REQUIRED (currently missing)
- Use Zod schemas for type-safe validation
- Sanitize all text inputs
- Regular
npm auditchecks are required - All dependencies are kept up to date
- No known high/critical vulnerabilities in current dependencies
Add these headers to your vercel.json or server configuration:
{
"headers": [
{
"source": "/(.*)",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
},
{
"key": "X-Frame-Options",
"value": "DENY"
},
{
"key": "X-XSS-Protection",
"value": "1; mode=block"
},
{
"key": "Referrer-Policy",
"value": "strict-origin-when-cross-origin"
},
{
"key": "Permissions-Policy",
"value": "camera=(), microphone=(), geolocation=()"
}
]
}
]
}.env.env.local.env.production
✅ .env.local is in .gitignore
✅ No API keys found in git history
- Rotate all API keys that have VITE_ prefix
- Move API calls to backend
- Use server-side environment variables only
Before making this project open source or deploying to production:
- Move API keys to backend/serverless functions
- Implement proper server-side authentication
- Add Firestore security rules
- Add server-side input validation
- Add rate limiting
- Add CSRF protection
- Configure security headers
- Run security audit:
npm audit - Test all authentication flows
- Review all user inputs for XSS vulnerabilities
- Implement proper error handling (don't expose stack traces)
- Add logging and monitoring
- Set up alerts for suspicious activity
- v1.0 (2025-12-05): Initial security hardening
- Fixed XSS vulnerabilities
- Updated dependencies
- Added sanitization utilities
- Documented security issues