If you discover a security vulnerability in Codify, please report it responsibly:
- Email: roshansuthar1105@gmail.com
- GitHub Issues: Open a security issue
Please include:
- A detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation (if any)
| Version | Supported |
|---|---|
main |
✅ Yes |
| others | ❌ No |
- Uses JWT-based authentication
- Role-based access control:
Admin,Learner - OAuth integration via Google Sign-In
.envfiles must not be committed- Avoid hardcoding secrets (e.g.,
JWT_SECRET,EMAIL_PASS) - Use environment variables for:
- MongoDB URI
- Email credentials
- Google OAuth keys
- API tokens (YouTube, RapidAPI, GitHub)
- 🔐 Rotate secrets periodically
- 🧪 Validate user input to prevent injection attacks
- 🛡️ Use HTTPS in production
- 🚫 Restrict CORS in production (
CLIENT_CORS=*is unsafe) - 📧 Use secure email transport (e.g., OAuth2 or App Passwords)
- Keep all dependencies up-to-date
- Run
npm auditregularly - Use ESLint and Prettier for code hygiene
- Never expose
.envfiles publicly - Use secure deployment platforms with access control
- Monitor logs for suspicious activity
Maintaining security is a shared responsibility. Let’s keep Codify safe for all learners! 💙