Skip to content

Security: zedarvates/StoryCore-Engine

Security

Report a vulnerability

SECURITY.md

Security Audit Findings

Critical Vulnerabilities Identified

  1. JWT Secret Management (backend/config.py)

    • JWT_SECRET is marked as optional in production
    • Default insecure key used in development
    • Requires immediate implementation of proper secret management

  2. Outdated Dependencies (package.json)

    • commander@12.0.0 (CVE-2023-... detected)
    • uuid@9.0.0 (CVE-2022-... detected)
    • Requires immediate update to latest versions

  3. Database Configuration (backend/config.py)

    • Database credentials stored in plaintext
    • Requires implementation of secure credential management

  4. API Security Headers (vite.config.ts)

    • Missing Content-Security-Policy headers
    • Missing X-Content-Type-Options headers

  5. Authentication Flaws (backend/auth.py)

    • Missing rate limiting on authentication endpoints
    • Requires implementation of proper rate limiting

Recommended Actions

  1. Implement JWT Secret Management

    • Generate secure secrets using python -c "import secrets; print(secrets.token_urlsafe(32))"
    • Store in environment variables only

  2. Update Dependencies

    • Run npm update commander uuid to patch vulnerabilities

  3. Secure Database Credentials

    • Implement environment-based credential loading
    • Use secrets manager for production deployments

  4. Add Security Headers

    • Implement CSP and X-Content-Type-Options in vite.config.ts

  5. Implement Rate Limiting

    • Add rate limiting middleware to auth endpoints

There aren’t any published security advisories