Last updated: 2025-06-16

MailMop is designed from the ground up with security and privacy as first-class citizens. The guiding philosophy is Minimise the attack surface & keep user data in the browser whenever possible. This document is a living reference for developers and auditors who want to understand the layers of protection baked into the product.

• All Gmail API calls execute in-browser through Google's official gapi library.
• The server never touches users' Gmail data — messages, headers, or metadata.
• Heavy computations (search, filter, batching, local caching) run in the user's tab, eliminating server-side injection vectors.

The backend's job is limited to:

1. Authentication (Supabase OAuth → Google)
2. Subscription management (Stripe)
3. Lightweight analytics / event logging
4. E-mail notification automation via Edge Functions

No user inbox data transits our servers.

• OAuth with Google → tokens stored by Supabase; MailMop receives a signed JWT.
• Middleware verifies the JWT on every protected request (/dashboard/**).
• Refresh tokens are stored in httpOnly, Secure, SameSite=Lax cookies.
• Access tokens live only in volatile memory and expire in 60 min max.

Every table in Postgres (Supabase) has REQUIRED RLS enabled.

Policies are defined in /supabase/migrations/*_initial_schema.sql and follow the principle of least privilege.

Safeguards

1. GitHub secret-scanning blocks pushes that contain credentials.
2. CI fails if check-env.js detects a missing or mis-scoped variable.
3. Periodic cron monitors unused or leaked keys → rotation.

1. Input validation: blocks path traversal, <script> tags, SQL keywords, JS/ VBScript URLs, oversize user-agents & URLs.
2. Rate limiting: 100 requests / 15 min window per IP on /dashboard/**.
3. Auth enforcement: redirects unauthenticated users to landing page.
4. Security headers • Strict-Transport-Security (prod)
   • Content-Security-Policy – whitelisted domains only
   • X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin.

All events, successes & violations are piped to a structured logger and stored in Supabase's logs bucket for 30 days.

Validation utils live in src/lib/utils/inputValidation.ts + src/lib/gmail/buildQuery.ts.

Only inputs that eventually hit Supabase or Gmail are sanitised; purely client-side search/filter remains unsanitised by design to save cycles (no data leaves browser).

• All traffic terminates at HTTPS (Vercel edge).
• HSTS max-age 1 year with sub-domains.
• Modern TLS versions only; weak ciphers disabled by Vercel defaults.
• Stripe elements served from https://js.stripe.com within strict CSP.

Edge Functions run with the service role key in a private Supabase network:

• verify-webhook-signature helpers validate Stripe events.
• Functions declare explicit import_map to prevent supply-chain typosquatting.
• Each function sanitises inputs (e.g. send-welcome-email guards against template injection).
• Logs emitted to Supabase's edge_function_logs table.

1. Secret scanning (GitHub Advanced Security) – blocking.
2. Supabase audit logs streamed to Logflare → Grafana dashboards.
3. Vercel analytics alerts on anomalous traffic spikes (≥3× baseline).
4. PagerDuty alert if any middleware.security.error or leaked credential is detected.
5. 30-day retention; GDPR-compliant deletion thereafter.

• Dependabot PRs auto-created weekly; high severity patched within 24 h.
• npm audit & pnpm audit run in CI; build fails on CVSS ≥ 7.
• TypeScript strict mode eliminates many injection paths at compile-time.

Developers must:

1. Never store Gmail content on the server.
2. Use validation helpers – do not roll your own sanitiser.
3. Keep secrets out of source code – use vercel env.
4. Add a Supabase RLS policy before adding any new table/column.
5. Write unit tests for every new validation path (Jest + React Testing Library).

See Git history of SECURITY.md for previous versions.

Questions or security disclosures?
Please open a PRIVATE security issue or email help@mailmop.com