Security is a top priority for TrustUp. This document outlines our security practices, how to report vulnerabilities, and guidelines for secure development.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Note: We are currently in development (pre-1.0). Security updates will be applied to the main branch.
Please DO NOT open public issues for security vulnerabilities.
If you discover a security vulnerability, please report it privately to:
- Email: security@trustup.io (to be set up)
- GitHub: Use GitHub Security Advisories
When reporting a vulnerability, please provide:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity
- Reproduction Steps: Step-by-step instructions to reproduce
- Proof of Concept: Code snippet or example (if applicable)
- Suggested Fix: Potential solution (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Timeline: Based on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2-4 weeks
- Low: Next release cycle
-
Wallet-Based Authentication
- Signature verification using Stellar cryptography
- Nonces expire after 5 minutes
- JWTs expire after 15 minutes (access) / 7 days (refresh)
- Refresh tokens are hashed before storage
-
JWT Security
- Use strong secret keys (32+ characters, random)
- Rotate JWT secrets periodically
- Validate token expiration strictly
- Never expose tokens in URLs or logs
-
Access Control
- Implement Row Level Security (RLS) in Supabase
- Users can only access their own data
- Validate user ownership on every request
-
DTOs and Validation
- Use
class-validatorfor all input validation - Sanitize user inputs before database storage
- Validate Stellar addresses format
- Validate numeric ranges and limits
- Use
-
SQL Injection Prevention
- Use parameterized queries (ORM/query builder)
- Never concatenate user input into SQL
- Enable prepared statements
-
XSS Prevention
- Sanitize HTML content if accepting rich text
- Use Content Security Policy (CSP) headers
- Encode output when rendering user data
-
Transaction Validation
- Validate XDR format before submission
- Check transaction source matches authenticated user
- Validate transaction sequence numbers
- Implement transaction limits
-
Private Key Management
- Never store private keys in the API
- Users sign transactions client-side
- API only handles unsigned/signed XDRs
- No server-side signing
-
Smart Contract Integration
- Validate contract responses
- Handle contract errors gracefully
- Implement retry logic with exponential backoff
- Set transaction timeouts
-
Environment Variables
- Never commit
.envfiles - Use secret management tools in production (AWS Secrets Manager, Vault)
- Rotate secrets regularly
- Minimum privilege principle for API keys
- Never commit
-
Database Security
- Enable SSL/TLS for database connections
- Use Supabase RLS policies
- Encrypt sensitive data at rest
- Regular backups with encryption
-
API Security
- Enable CORS with whitelist
- Implement rate limiting (100 req/min)
- Use HTTPS only in production
- Set secure HTTP headers (Helmet)
-
Don't Expose Sensitive Information
- Never return stack traces to clients
- Log detailed errors server-side only
- Return generic error messages
- Sanitize error messages
-
Logging Security
- Never log sensitive data (tokens, keys, passwords)
- Redact wallet addresses in logs if needed
- Use structured logging
- Implement log rotation
-
Dependency Management
- Run
npm auditregularly - Update dependencies to patch vulnerabilities
- Use
npm audit fixcarefully - Review changes before updating major versions
- Run
-
Supply Chain Security
- Lock dependencies with
package-lock.json - Verify package integrity
- Use trusted registries only
- Monitor for malicious packages
- Lock dependencies with
The API implements these security headers:
// Helmet configuration
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
frameguard: { action: 'deny' },
noSniff: true,
xssFilter: true,
})Implement rate limiting to prevent abuse:
{
ttl: 60, // 60 seconds
limit: 100, // 100 requests
blockDuration: 300 // Block for 5 minutes if exceeded
}Endpoints with stricter limits:
/auth/nonce: 10 requests/minute/auth/verify: 5 requests/minute/transactions/submit: 20 requests/minute
- ✅ Implement RLS in Supabase
- ✅ Validate user ownership on mutations
- ✅ Use JwtAuthGuard on protected endpoints
- ✅ Use HTTPS only in production
- ✅ Hash refresh tokens before storage
- ✅ Use secure random for nonces
- ✅ Use parameterized queries (ORM)
- ✅ Validate all inputs with DTOs
- ✅ Sanitize user inputs
- ✅ Wallet-based authentication
- ✅ No password storage
- ✅ Client-side transaction signing
- ✅ Secure default configurations
- ✅ Disable unnecessary features
- ✅ Keep dependencies updated
- ✅ Regular
npm audit - ✅ Automated dependency updates (Dependabot)
- ✅ Security-focused dependencies
- ✅ Short-lived JWTs
- ✅ Secure nonce generation
- ✅ Refresh token rotation
- ✅ Lock dependencies
- ✅ Verify transaction signatures
- ✅ Validate blockchain data
- ✅ Structured logging
- ✅ Security event logging
- ✅ Error tracking (Sentry)
- ✅ Validate URLs before fetching
- ✅ Whitelist allowed domains
- ✅ Use trusted RPC endpoints only
- HTTPS enabled with valid certificate
- Environment variables set securely
- Database SSL/TLS enabled
- CORS whitelist configured
- Rate limiting enabled
- Helmet headers configured
- Error messages sanitized
- Logging configured (no sensitive data)
- Secrets rotated
- Dependency vulnerabilities resolved
- Security headers tested
- Monitoring and alerting enabled
-
Network Security
- Use VPC/private networks
- Firewall rules for database access
- DDoS protection (Cloudflare, AWS Shield)
-
Access Management
- Least privilege IAM policies
- MFA for production access
- Regular access audits
-
Monitoring
- Log aggregation (CloudWatch, DataDog)
- Security event alerts
- Anomaly detection
- Contain: Isolate affected systems
- Assess: Determine scope and impact
- Notify: Inform affected users if necessary
- Fix: Deploy patch or mitigation
- Review: Post-mortem and prevention
For security-related questions:
- Email: security@trustup.io
- GitHub: Security Advisories
- GDPR: User data handling compliant
- Data Retention: Clear policies documented
- Right to Deletion: User can delete account and data
- All transactions are public on Stellar blockchain
- Users are informed about on-chain data persistence
- Wallet addresses are pseudonymous (not anonymous)
-
Static Analysis
- ESLint with security plugin
- SonarQube
- Semgrep
-
Dependency Scanning
- npm audit
- Snyk
- Dependabot
-
Runtime Protection
- Helmet (HTTP headers)
- express-rate-limit
- express-validator
-
Monitoring
- Sentry (error tracking)
- DataDog (APM)
- CloudWatch (logs)
- Unit Tests: Validate input sanitization
- Integration Tests: Test authentication flows
- E2E Tests: Simulate attack scenarios
- Penetration Testing: Annual third-party audit (when production-ready)
Ensure security-critical code has 100% test coverage:
- Authentication service
- Authorization guards
- Input validation
- Signature verification
Last Updated: 2026-02-13