This is a portfolio demonstration project. It is not intended for production deployment without significant security hardening.
The following security measures are intentionally omitted for demo simplicity:
| Issue | Location | Risk | Reason |
|---|---|---|---|
| No authentication | All API routes | High | Simplifies demo setup |
| No rate limiting | All endpoints | Medium | Would require Redis/additional infra |
| IDOR vulnerability | /api/tasks/[id]/stream |
Medium | Task IDs accessible without ownership check |
| Default DB credentials | packages/core/src/db/client.ts |
Low | Only affects misconfigured deployments |
For full details, see docs/KNOWN_LIMITATIONS.md.
- Input validation via Zod schemas on all API endpoints
- SQL injection prevention via Drizzle ORM parameterized queries
- Type safety preventing many classes of runtime errors
Since this is a portfolio project, there are no live deployments to protect. However, if you discover a security issue that could affect someone who forks this project:
- Open a GitHub issue describing the vulnerability
- Include steps to reproduce
- Suggest a fix if possible
Before deploying this codebase to production:
-
Add Authentication
- Implement NextAuth.js or similar
- Add JWT validation middleware
- Implement user session management
-
Add Authorization
- Verify task ownership before streaming
- Implement role-based access control
- Add resource-level permissions
-
Add Rate Limiting
- Use Redis-based rate limiting
- Implement per-user and per-IP limits
- Add circuit breakers for external APIs
-
Secure Secrets
- Use environment variable validation
- Implement secrets rotation
- Audit all hardcoded strings
-
Add Logging & Monitoring
- Log all authentication attempts
- Monitor for suspicious patterns
- Set up alerting for anomalies
This project uses well-maintained dependencies. Run regular security audits:
pnpm auditFor security questions about this portfolio project, open a GitHub issue or contact the maintainer directly.