Use this section to tell people about which versions of your project are currently being supported with security updates.

We take security vulnerabilities seriously. If you discover a security vulnerability in AkılHane, please follow these steps:

1. DO NOT create a public GitHub issue for security vulnerabilities
2. DO email us at: security@akilhane.com (or create a private security advisory)
3. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution: Within 30 days (depending on complexity)

If the vulnerability is accepted:

• We will acknowledge receipt within 48 hours
• We will investigate and provide regular updates
• We will release a security patch as soon as possible
• We will credit you in the security advisory (unless you prefer to remain anonymous)

If the vulnerability is declined:

• We will explain why and provide technical reasoning
• We may suggest alternative approaches or improvements

• ✅ Supabase Auth Integration: Secure user authentication with JWT tokens
• ✅ Row Level Security (RLS): Database-level access control for all tables
• ✅ TypeScript Strict Mode: Complete type safety throughout the application
• ✅ Secure Password Management: Encrypted password storage and secure change process

• ✅ HTTPS Enforcement: All communications encrypted with TLS
• ✅ Secure File Uploads: Cloudinary integration with validation
• ✅ Input Sanitization: Protection against XSS and injection attacks
• ✅ Content Security Policy: CSP headers implemented

• ✅ API Key Management: Secure storage of AI service credentials
• ✅ Request Validation: All AI requests validated before processing
• ✅ Rate Limiting: Protection against API abuse
• ✅ Error Handling: Secure error responses without information leakage

1. Never commit sensitive data (API keys, passwords, etc.)
2. Use environment variables for all configuration
3. Validate all user inputs before processing
4. Follow the principle of least privilege
5. Keep dependencies updated regularly

1. Use strong passwords and enable 2FA when available
2. Keep your browser updated
3. Report suspicious activity immediately
4. Don't share your login credentials

# Required for production
NEXT_PUBLIC_SUPABASE_URL=your_supabase_url
NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
SUPABASE_SERVICE_ROLE_KEY=your_service_role_key
GOOGLE_GENAI_API_KEY=your_gemini_api_key
CLOUDINARY_CLOUD_NAME=your_cloudinary_name
CLOUDINARY_API_KEY=your_cloudinary_key
CLOUDINARY_API_SECRET=your_cloudinary_secret

// Implemented in next.config.ts
contentSecurityPolicy: "default-src 'self'; script-src 'none'; sandbox;",

• All environment variables are properly configured
• Database RLS policies are active
• HTTPS is enforced
• Security headers are implemented
• Dependencies are updated to latest versions
• API keys are rotated and secure

• Weekly dependency updates
• Monthly security audits
• Quarterly penetration testing
• Annual security policy review

• ⚠️ API Rate Limiting: Not fully implemented across all endpoints
• ⚠️ CSRF Protection: Missing in some areas
• ⚠️ Security Headers: Some headers could be enhanced
• ⚠️ Input Sanitization: Some areas need improvement

• 🔄 Enhanced Rate Limiting: Implement comprehensive rate limiting
• 🔄 CSRF Tokens: Add CSRF protection to all forms
• 🔄 Security Headers: Implement additional security headers
• 🔄 Input Validation: Enhance input sanitization across the application

• Security Team: security@akilhane.com
• Project Maintainer: GitHub Profile
• Emergency Contact: Available through GitHub issues (private)

This security policy is part of the AkılHane project and is covered under the same MIT license as the main project.

Last Updated: August 2025
Version: 1.0.0
Next Review: August 2025