This document outlines the security measures implemented in the BuildUnia application to protect against common web vulnerabilities and ensure data integrity.
- X-Frame-Options:
DENY- Prevents clickjacking attacks - X-Content-Type-Options:
nosniff- Prevents MIME type sniffing - Referrer-Policy:
origin-when-cross-origin- Controls referrer information - X-XSS-Protection:
1; mode=block- Enables XSS filtering - Strict-Transport-Security:
max-age=31536000; includeSubDomains- Enforces HTTPS - Content-Security-Policy: Comprehensive policy to prevent XSS and injection attacks
- Authentication: 5 requests per 15 minutes
- API: 100 requests per minute
- Payment: 10 requests per minute
- Upload: 5 requests per minute
- Token-based protection for all POST/PUT/DELETE requests
- 24-hour token expiry
- Automatic token generation and validation
- HTML sanitization using DOMPurify
- Text sanitization to remove HTML tags and entities
- Email validation and sanitization
- Phone number validation (Indian format)
- Pincode validation (6-digit format)
- File upload validation (type, size, extension)
- Supabase authentication with session management
- Role-based access control (admin/user)
- Middleware protection for admin routes
- User ownership validation for orders
- Razorpay integration with signature verification
- Server-side payment validation
- Secure order creation and management
# Required for CSRF protection
CSRF_SECRET=your-32-byte-secret-key
# Supabase configuration
NEXT_PUBLIC_SUPABASE_URL=your-supabase-url
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-supabase-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
# Payment configuration
RAZORPAY_KEY_ID=your-razorpay-key-id
RAZORPAY_KEY_SECRET=your-razorpay-secretLocated in next.config.ts:
async headers() {
return [
{
source: '/(.*)',
headers: [
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
{ key: 'X-XSS-Protection', value: '1; mode=block' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
{ key: 'Content-Security-Policy', value: '...' }
]
}
]
}- Always sanitize user input before processing
- Validate file uploads for type, size, and content
- Use HTTPS in production
- Implement proper error handling without exposing sensitive information
- Keep dependencies updated regularly
- Use environment variables for sensitive configuration
- Enable HTTPS with valid SSL certificates
- Set up monitoring for security events
- Regular security audits of the application
- Backup strategy for data protection
- Access logging for security monitoring
# Run security audit
npm audit
# Run linting
npm run lint
# Build test
npm run build- Test rate limiting on API endpoints
- Verify CSRF protection on forms
- Test file upload restrictions
- Verify authentication on protected routes
- Test payment signature verification
- Check security headers are present
-
Immediate Actions
- Isolate affected systems
- Preserve evidence
- Notify stakeholders
-
Investigation
- Analyze logs and monitoring data
- Identify root cause
- Assess impact
-
Remediation
- Apply security patches
- Update affected systems
- Implement additional security measures
-
Post-Incident
- Document lessons learned
- Update security procedures
- Conduct security review
For security issues or questions:
- Email: buildunia.codeunia@gmail.com
- Phone: +91 8699025107
- All security headers configured
- Rate limiting implemented
- CSRF protection enabled
- Input sanitization active
- Environment variables secured
- Dependencies updated
- Security audit passed
- HTTPS enabled
- Monitoring configured
- Backup strategy implemented
- Access logs enabled
- Security testing completed
Last Updated: July 27, 2025 Version: 1.0.0