This document describes how to report vulnerabilities and the security expectations for the Eco‑Track repository.
- Do not open a public Issue for security problems.
- Use GitHub Security Advisories (Security tab → “Report a vulnerability”) for private disclosure.
- If Security Advisories are unavailable, contact the maintainers privately (do not post PoC publicly). Include:
- Affected version/commit, environment, and steps to reproduce
- Minimal PoC (requests, payloads, logs) with secrets redacted
- Impact assessment and suggested remediation if possible
- We will acknowledge within 48 hours, triage within 5 business days, and target a fix or mitigation within 30 days (complex cases may take longer; we will keep you updated).
- Server/API (Node.js/Express), routes and middleware
- API prefix: see config/system.js
- API key middleware:
validateApiKey
- Authentication and account flows (login/register/password reset/OTP, API key management)
- Client controller: controllers/client/user.controller.js
- OTP model (5‑minute TTL):
OTP - API Docs UI: views/client/pages/docs/index.pug
- Data models (MongoDB/Mongoose)
- Aggregated models: models/index.js
- City/district reading schemas (e.g., models/hcmc.model.js)
- Admin area (auth, settings, users)
- Admin auth/settings: controllers/admin/auth.controller.js, controllers/admin/settings.controller.js
Third‑party services, upstream libraries, and user deployments are out of scope but may be impacted.
- main (active development): receives security updates
- Latest tagged release (e.g., v1.1.x per CHANGELOG.md): receives critical fixes
- Older releases: best‑effort only
- Environment
- Use HTTPS/TLS; set
NODE_ENV=production - Keep secrets in
.env(never commit); rotate regularly - Run MongoDB with authentication and least‑privilege credentials
- Use HTTPS/TLS; set
- HTTP hardening
- Add HTTP security headers (e.g., helmet)
- Configure CORS to allowed origins only
- Enable rate limiting for auth, OTP, and data endpoints
- Sessions & cookies
- Use
httpOnly,secure(on TLS), andsameSite=strict/laxcookies - Regenerate session on login/logout; short session lifetimes for admin
- Use
- Forms & APIs
- Enable CSRF protection for state‑changing forms in web UI
- Validate and sanitize all inputs (query, body, headers, params)
- Data & logs
- Avoid logging secrets/API keys/OTP; scrub logs
- Ensure TTL indexes exist for time‑bound data (e.g., OTP)
- Processes
- Use PM2/systemd with restricted permissions; avoid running as root
- Back up MongoDB securely and test restores
- Do not commit secrets, keys, tokens, or production URLs
- Input validation and output encoding are mandatory for new endpoints
- Reuse existing auth flows and middleware where possible:
- API key verification:
validateApiKey
- API key verification:
- Follow project structure and patterns from README.md
- Password hashing
- MD5 is used in some admin/client flows (imports of
md5in: - Migrate to bcrypt/argon2 with per‑user salt and proper parameters; provide a migration path
- MD5 is used in some admin/client flows (imports of
- Add helmet and express‑rate‑limit defaults
- Add CSRF protection for web forms in client/admin layouts
- API key improvements
- Add key rotation UI, usage quotas, and optional key scopes
- OTP security
- Add rate limits and anti‑bruteforce around OTP verify/resend
- Ensure TTL index on
OTPis created in production
- Personal data stored: name, email, optional avatar, provider info, API key
- See
Userschema
- See
- OTP codes expire in 5 minutes:
OTP - Users can view/regenerate their API key in settings UI:
- Node.js: run
npm auditregularly; update vulnerable packages - Python (prediction): pin and audit packages defined in requirements.txt
- Consider additional tooling (SAST/DAST) and CI checks for dependency risk
We follow a responsible disclosure model. Please allow us time to investigate and remediate before public disclosure. After a fix is released, we will credit reporters (if desired) in CHANGELOG.md.
Eco‑Track is GPL‑3.0. See LICENSE. Security reports and patches are contributed under the project license.