Comprehensive security measures implemented in Omega-Core to protect users and data while maintaining accessibility.
- NextAuth.js v5 with JWT sessions
- Secure cookies with HttpOnly, Secure, and SameSite flags
- Session management with 30-day expiration and 24-hour update age
- Guest user support with limited permissions
- User isolation - users can only access their own data
- Zod schemas for all API inputs (prevents injection attacks)
- String sanitization - removes control characters and limits length
- HTML sanitization - removes script tags and event handlers
- URL validation - blocks localhost/private IPs in production
- UUID validation - ensures valid UUID format
- File name sanitization - prevents path traversal attacks
- Request size limits - prevents DoS via large payloads
- Token bucket algorithm (O(1) complexity)
- Per-route limits:
- Chat API: 50 requests, 5/sec
- File uploads: 20 requests, 2/sec
- Other APIs: 100 requests, 10/sec
- Per-user and per-IP tracking
- Automatic cleanup to prevent memory leaks
All responses include:
- Content-Security-Policy - Prevents XSS attacks
- X-Content-Type-Options: nosniff - Prevents MIME sniffing
- X-Frame-Options: SAMEORIGIN - Prevents clickjacking
- X-XSS-Protection: 1; mode=block - Browser XSS protection
- Referrer-Policy - Controls referrer information
- Permissions-Policy - Restricts browser features
- Strict-Transport-Security - Forces HTTPS in production
- Drizzle ORM - Parameterized queries (prevents SQL injection)
- User isolation - All queries filtered by userId
- Input validation - All inputs validated before database operations
- Connection pooling - Reuses secure connections
- SSL required - Database connections use SSL
- File type validation - Only JPEG and PNG allowed
- Magic byte verification - Validates actual file type (not just extension)
- File size limits - 5MB maximum
- Filename sanitization - Prevents path traversal
- User isolation - Files stored in user-specific directories
- Content-Type validation - Zod schema validation
- Authentication required - All protected routes check session
- Authorization checks - Users can only access their own resources
- Request size limits - Prevents DoS attacks
- Error message sanitization - Doesn't leak sensitive information
- UUID validation - All IDs validated before use
- Input sanitization - All inputs sanitized before processing
- Command blacklist - Blocks dangerous commands
- Timeout protection - 1-30 second timeouts
- Output sanitization - Redacts sensitive information
- Production disabled - Requires
ENABLE_SHELL_TOOL=true - Rate limiting - Prevents abuse
- URL validation - Only http/https allowed
- Localhost blocking - Blocks localhost in production
- Content sanitization - Removes scripts and dangerous content
- Timeout protection - 10 second timeout
- Output limits - Maximum content length enforced
- User isolation - Users can only access their own memories
- Input sanitization - All content sanitized
- Rate limiting - Prevents abuse
- Vector search - Secure database queries
- React automatic escaping - React escapes by default
- HTML sanitization - Removes dangerous HTML
- Content Security Policy - Restricts script execution
- Input validation - Prevents malicious input
- SameSite cookies - Prevents CSRF attacks
- Secure cookies - HTTPS only in production
- NextAuth CSRF tokens - Built-in CSRF protection
- Never commit secrets - All secrets in
.env.local(gitignored) - Validate all inputs - Use Zod schemas
- Sanitize outputs - Use sanitization utilities
- Check authorization - Always verify user ownership
- Rate limit APIs - Prevent abuse
- Log security events - Monitor for attacks
- Set strong AUTH_SECRET - Use
openssl rand -base64 32 - Use HTTPS - Always in production
- Enable security headers - Already configured
- Monitor rate limits - Watch for abuse
- Keep dependencies updated - Regular security updates
- Use environment variables - Never hardcode secrets
- β Authentication required
- β Rate limiting (50 req, 5/sec)
- β Input validation (Zod)
- β Request size limit (5MB)
- β User isolation
- β Error sanitization
- β Authentication required
- β UUID validation
- β Input sanitization
- β Request size limit (10MB)
- β User ownership checks
- β Authentication required
- β File type validation
- β Magic byte verification
- β Filename sanitization
- β User isolation
- β Rate limiting (20 req, 2/sec)
- β Authentication required
- β UUID validation
- β Input sanitization
- β Parameter limits
- β User isolation
- β Authentication required
- β UUID validation
- β Input validation (Zod)
- β User ownership checks
- No data leakage - Error messages don't expose sensitive info
- User data isolation - Users can't access other users' data
- Secure storage - All sensitive data encrypted
- Environment variables - All secrets in environment
- Git ignore - Sensitive files never committed
- Security events logged - Failed auth, rate limits, etc.
- Error logging - Server-side only (not exposed to clients)
- Rate limit headers - X-RateLimit-* headers for monitoring
- GDPR ready - User data isolation and deletion support
- Security best practices - OWASP Top 10 covered
- Industry standards - Follows Next.js and NextAuth security guidelines
If you discover a security vulnerability, please:
- Do not open a public issue
- Email security concerns privately
- Include steps to reproduce
- Allow time for fix before disclosure
- Authentication on all protected routes
- Input validation with Zod
- Output sanitization
- Rate limiting
- Security headers
- SQL injection prevention (Drizzle ORM)
- XSS prevention
- CSRF protection
- File upload security
- Error message sanitization
- Request size limits
- Secure cookies
- User data isolation
- UUID validation
- URL validation
- Content Security Policy
- Web Application Firewall (WAF)
- Advanced threat detection
- Security audit logging
- Penetration testing
- Automated security scanning
Remember: Security is an ongoing process. Always keep dependencies updated and monitor for new threats.