This document outlines security practices, guidelines, and procedures for the VibeMUSE modernization project. Security is a critical aspect of our platform, especially given the multi-user nature of the application.
JWT-based Authentication:
- Access tokens expire in 24 hours
- Refresh tokens expire in 7 days
- Role-based access control (RBAC)
- Permission-based authorization
Password Security:
- Minimum 8 characters required
- Must contain uppercase, lowercase, numbers, and special characters
- Hashed using bcrypt with 12 rounds
- Account lockout after 5 failed attempts
Session Management:
- Secure session handling with JWT
- Session timeout after 24 hours of inactivity
- Proper session invalidation on logout
Input Validation:
- All inputs validated using Zod schemas
- Input sanitization to prevent XSS
- Content-Type validation
- Request size limits (1MB default)
Rate Limiting:
- Global rate limiting: 100 requests per 15-minute window
- Per-user rate limiting for authenticated endpoints
- WebSocket connection limits: 1000 concurrent connections
Security Headers:
- Comprehensive Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options, X-Content-Type-Options
- Referrer-Policy and other security headers
Supabase Integration:
- Row Level Security (RLS) policies
- Service role key separation
- Connection pooling and limits
- Parameterized queries to prevent SQL injection
Data Protection:
- Sensitive data encryption at rest
- Secure key management
- Regular security audits
Connection Security:
- Authentication required for WebSocket connections
- Connection rate limiting
- Heartbeat mechanism for connection validation
- Message size and frequency limits
Message Validation:
- All WebSocket messages validated
- Input sanitization
- Type checking and schema validation
// Environment validation with Zod
const envSchema = z.object({
JWT_SECRET: z.string().min(32),
ENCRYPTION_KEY: z.string().min(32),
// ... other validations
});// Input validation and sanitization
app.use(validateRequestSize());
app.use(validateContentType());
app.use(sanitizeInput);// JWT token verification
app.use('/api/protected', authenticateToken);
app.use('/api/admin', requireAdmin);// Secure error handling that doesn't expose sensitive information
app.use(errorHandler);-
Never commit secrets to version control
- Use
.env.localfor local development - Use environment variables for production
- Review commits for accidentally included secrets
- Use
-
Input Validation
- Always validate user inputs
- Use Zod schemas for comprehensive validation
- Sanitize inputs to prevent XSS
-
Error Handling
- Don't expose sensitive information in error messages
- Log security events appropriately
- Use proper HTTP status codes
-
Database Interactions
- Use parameterized queries
- Implement proper access controls
- Validate all database inputs
-
Authentication
- Implement proper session management
- Use secure password hashing
- Implement account lockout mechanisms
-
Environment Security
- Use strong, unique secrets for each environment
- Rotate secrets regularly
- Use proper secret management tools
-
Monitoring
- Monitor for suspicious activity
- Log security events
- Set up alerts for security violations
-
Updates
- Keep dependencies updated
- Monitor security advisories
- Apply security patches promptly
Dependency Scanning:
npm audit
npm audit fixStatic Code Analysis:
npm run lint
npm run type-check-
Authentication Testing
- Test token expiration
- Test invalid tokens
- Test role-based access
-
Input Validation Testing
- Test with malicious inputs
- Test boundary conditions
- Test input sanitization
-
Rate Limiting Testing
- Test rate limit enforcement
- Test bypass attempts
- Test recovery after limits
-
Detection
- Monitor logs for security events
- Automated alerting for suspicious activity
- User reports of security issues
-
Response
- Immediately assess the severity
- Contain the incident
- Document all actions taken
-
Recovery
- Fix the vulnerability
- Restore normal operations
- Update security measures
-
Post-Incident
- Conduct post-mortem analysis
- Update security procedures
- Communicate with stakeholders
If you discover a security vulnerability:
- Do NOT create a public GitHub issue
- Do NOT discuss the vulnerability publicly
- DO email security concerns to the project maintainers
- DO provide detailed information about the vulnerability
- DO allow reasonable time for response and fix
- OWASP Top 10 compliance
- CWE/SANS Top 25 vulnerability prevention
- NIST Cybersecurity Framework alignment
- GDPR compliance for European users
- CCPA compliance for California users
- Data minimization principles
- User consent management
- Environment validation
- Input validation framework
- Authentication middleware
- Error handling
- Rate limiting
- Security headers
- OAuth2 integration
- Multi-factor authentication
- Advanced rate limiting
- Security monitoring
- Audit logging
- End-to-end encryption
- Advanced threat detection
- Security analytics
- Penetration testing
- Security certification
# Security essentials
JWT_SECRET=your-super-secret-jwt-key-here (min 32 chars)
ENCRYPTION_KEY=your-encryption-key-here (min 32 chars)
# Database security
SUPABASE_URL=your-supabase-url
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
# CORS and rate limiting
CORS_ORIGINS=http://localhost:5173,https://yourdomain.com
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=100
# WebSocket security
WS_MAX_CONNECTIONS=1000
WS_HEARTBEAT_INTERVAL=30000- Environment variables validated
- Secrets properly managed
- Input validation implemented
- Authentication working
- Authorization enforced
- Rate limiting active
- Security headers configured
- Error handling secure
- Logging implemented
- Dependencies updated
- Security tests passing
- OWASP Security Guide
- Node.js Security Checklist
- Express.js Security Best Practices
- Supabase Security Documentation
Last Updated: July 2025
Next Review: Phase 1 Completion
Maintained By: VibeMUSE Development Team