This project is for educational and demonstration purposes only.

This codebase intentionally omits critical production security features to maintain simplicity for learning purposes:

⚠️ DO NOT deploy this application to production without implementing these features.

While authentication is intentionally omitted, we maintain security best practices in other areas:

• ✅ HTTPS Enforcement: Required in non-development environments
• ✅ Secrets Management: User Secrets (dev) and environment variables (prod) - no hardcoded credentials
• ✅ SQL Injection Prevention: Entity Framework Core with parameterized queries (no raw SQL)
• ✅ Dependency Scanning: Automated security scans via CodeQL and Trivy
• ✅ Container Security: Non-root user, Alpine Linux, aggressive security updates
• ✅ Code Analysis: Latest .NET analyzers with security rules enabled

We actively scan for vulnerabilities despite the educational scope:

View security scan results: GitHub Security Tab

This is an educational reference project with no official support or versioning.

We use GitHub issues to track vulnerabilities in this educational project.

To report a security issue:

1. Public Issues: For educational/demonstration vulnerabilities, open a public issue
2. Private Disclosure: For serious vulnerabilities in dependencies, use GitHub Security Advisories

Response Time: Best effort (this is not a production application)

If you intend to adapt this code for production use, you MUST implement:

• JWT or OAuth authentication with identity provider (Auth0, Azure AD, etc.)
• Role-based authorization with [Authorize] attributes
• API rate limiting (e.g., AspNetCoreRateLimit package)
• CORS policy configuration for known client origins
• Input validation middleware (e.g., FluentValidation with sanitization)
• API key management for external integrations
• Web Application Firewall (WAF) or equivalent
• Security headers (CSP, X-Frame-Options, HSTS, etc.)
• Data encryption at rest and in transit
• Audit logging for sensitive operations
• Penetration testing and security review

• Move from InMemory database to production-grade persistence (SQL Server, PostgreSQL)
• Database connection string encryption
• Secrets management (Azure Key Vault, AWS Secrets Manager, etc.)
• Network isolation and firewall rules
• DDoS protection
• Monitoring and alerting for security events
• Incident response plan

• GDPR compliance (if handling EU user data)
• CCPA compliance (if handling California resident data)
• Data retention and deletion policies
• Terms of Service and Privacy Policy
• Security audit and compliance certifications

This project demonstrates:

• ✅ ASP.NET Core MVC and Web API patterns
• ✅ Repository pattern and dependency injection
• ✅ Entity Framework Core usage
• ✅ Docker containerization
• ✅ CI/CD with GitHub Actions
• ✅ Test-driven development practices

It deliberately does NOT demonstrate:

• ❌ Production authentication/authorization
• ❌ Multi-tenant architecture
• ❌ Horizontal scaling patterns
• ❌ High-availability deployment

Use this project as a learning reference, not a production template.

Last Updated: 2026-02-05
Constitution Version: v1.0.0
Security Contact: Repository maintainers via GitHub Issues