If you discover a security vulnerability in GhostClass, please report it responsibly:

Email: admin@ghostclass.devakesu.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

We take security seriously and will respond to reports as quickly as possible.

GhostClass implements multiple layers of security:

• Supabase Auth - Industry-standard authentication with JWT tokens
• Row Level Security (RLS) - Database-level access control ensuring users only access their data
• Session Management - Secure session handling with automatic expiration

• HttpOnly Cookies - Multiple httpOnly cookies with distinct SameSite policies. The session token (ezygo_access_token) uses SameSite=Lax — intentional to allow the cookie on PWA standalone launches (top-level navigations); Strict would block it on bookmarks and installed-app launch, causing an infinite redirect loop. The CSRF token cookie uses SameSite=Strict since it only needs to be present on same-site requests where the header can be validated. All mutations require a valid CSRF token regardless.
• Secure Headers - HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• Input Validation - Zod schemas validate all user input
• Origin Validation - Strict origin checking in production
• AES-256-GCM Encryption - Secure token encryption at rest

• Rate Limiting - Upstash Redis-based rate limiting per IP/user
• Circuit Breaker Pattern - Graceful handling of upstream API failures
• Request Deduplication - Prevents duplicate concurrent requests
• Bot Protection - Cloudflare Turnstile on public endpoints
• CSRF Protection - Custom token-based CSRF protection

• Signed Docker Images - All images signed with Sigstore cosign (keyless OIDC)
• SLSA Level 3 Provenance - Build provenance attestations
• GitHub Attestations - Native GitHub artifact attestations
• SBOM (CycloneDX) - Software Bill of Materials for all releases
• Reproducible Builds - Deterministic builds with SOURCE_DATE_EPOCH
• Vulnerability Scanning - Trivy scanning on every build

• Script Injection Prevention - Environment variables used for all untrusted GitHub Actions inputs
• Least Privilege Permissions - Workflows use minimum required permissions with explicit grants
• GPG Signing - Commits and tags cryptographically signed (except Dependabot PRs)
• Secret Management - GitHub secrets isolated per workflow with no cross-contamination
• Dependabot Isolation - Special handling for Dependabot PRs without secret access

• Environment Variable Validation - Runtime validation of required secrets
• Two-Tier Secret Management - Separate build-time and runtime secrets
• Production Safety Checks - Strict validation in production mode

• EzyGo Server-Side Egress - All server-to-EzyGo API requests route through a two-tier egress proxy chain: a Cloudflare Worker (CF_PROXY_URL, Tier 1) falling back to an AWS Lambda (AWS_SECONDARY_URL, Tier 2), then direct. This masks the origin server IP and bypasses ISP-level blocks. Implemented via egressFetch() / egressAxios in src/lib/utils.server.ts.
• Supabase Browser Proxy (ISP Bypass) - Browser-to-Supabase requests auto-fail-over through the same pattern: CF Worker (NEXT_PUBLIC_SUPABASE_CF_PROXY_URL) → Lambda (NEXT_PUBLIC_SUPABASE_AWS_PROXY_URL) → direct. Implemented in src/lib/supabase/client.ts.
• Proxy Secret Validation - All proxy workers validate an x-proxy-secret header on every incoming request; requests without a valid secret are rejected with 403. Secrets are never embedded in the client bundle (CF_PROXY_SECRET and AWS_SECONDARY_SECRET are server-only runtime variables).

GhostClass uses npm overrides to enforce minimum secure versions of transitive dependencies. All overrides are documented below with their security rationale:

• Reason: Cross-site scripting vulnerability in versions <3.1.0
• CVEs: CVE-2020-7660
• Scope: Dev-only (used by Webpack/build toolchain)
• Status: ✅ Patched

• Reason: Path traversal vulnerabilities in versions ≤7.5.9
• CVEs: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713 / GHSA-qffp-2rhf-9h96
• Scope: Dev-only (used by supabase CLI for unpacking)
• Status: ✅ Patched

• Reason: Code execution via load() function in versions <4.0.0
• CVEs: CVE-2021-23343
• Scope: Dev-only (used by ESLint → @eslint/eslintrc)
• Status: ✅ Patched

• Reason: Security and stability improvements in v4.x
• Scope: Dev-only (used by Vite/Vitest for bundling)
• Status: ✅ Up-to-date

• Reason: Performance improvements and security hardening in v13+
• Scope: Dev-only (used by build tools: Sentry, Serwist)
• Status: ✅ Up-to-date

• Reason: Dependency resolution conflicts and stability improvements
• Scope: Dev-only (used by Vite/Terser for sourcemap generation)
• Status: ✅ Up-to-date

• Reason: ReDoS vulnerability in versions <3.0.5
• CVEs: GHSA-3ppc-4f35-3m26
• Scope: Dev-only (used by @sentry/nextjs and other build tools)
• Status: ✅ Patched

• Overrides are reviewed during each major release
• Transitive dependencies are audited via npm audit
• OpenSSF Scorecard tracks vulnerability status
• Security patches applied within 7 days of disclosure

No active known issues. npm audit reports 0 vulnerabilities across all dependencies.

All previously tracked issues have been resolved:

See Dependency Security Overrides for the current override list.

GhostClass workflows are hardened against script injection attacks using environment variables for all untrusted inputs.

run: |
  VERSION_TAG="${{ github.event.inputs.version_tag }}"
  git checkout "refs/tags/${VERSION_TAG}"

Risk: Attacker-controlled inputs like branch names, tag names, or workflow inputs can contain shell metacharacters (;, |, $(), etc.) that execute arbitrary commands.

env:
  INPUT_VERSION_TAG: ${{ github.event.inputs.version_tag }}
run: |
  VERSION_TAG="$INPUT_VERSION_TAG"
  git checkout "refs/tags/${VERSION_TAG}"

Protection: Environment variables treat the entire input as literal data, preventing command injection.

• github.actor → ACTOR environment variable
• github.head_ref → HEAD_REF environment variable
• github.event.pull_request.head.repo.full_name → PR_HEAD_REPO environment variable
• Prevents malicious branch names from executing code during Dependabot detection

• github.event.client_payload.version_tag → INPUT_VERSION_TAG_DISPATCH environment variable
• github.event.inputs.version_tag → INPUT_VERSION_TAG_MANUAL environment variable
• github.ref_name → REF_NAME environment variable
• github.ref_type → REF_TYPE environment variable
• Prevents malicious tag names in repository_dispatch and manual workflow triggers

• github.repository → REPO environment variable
• github.run_id → RUN_ID environment variable
• Prevents repository name manipulation in GitHub API calls

• GitHub Security Lab: Preventing pwn requests
• GitHub Actions Security Hardening
• OpenSSF Scorecard: Token Permissions Check

All Docker images are signed using Sigstore cosign with keyless (OIDC) signing.

Install cosign:

# macOS
brew install cosign

# Linux
COSIGN_VERSION="3.0.4"
COSIGN_CHECKSUM="10dab2fd2170b5aa0d5c0673a9a2793304960220b314f6a873bf39c2f08287aa"
wget "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64"
echo "${COSIGN_CHECKSUM}  cosign-linux-amd64" | sha256sum --check
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign

# Windows
scoop install cosign

Verify an image using regex pattern (recommended):

cosign verify \
  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/devakesu/ghostclass:latest

For maximum security, verify against specific workflow:

# Latest release (release.yml)
cosign verify \
  --certificate-identity="https://github.com/devakesu/GhostClass/.github/workflows/release.yml@refs/tags/vX.Y.Z" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/devakesu/ghostclass:latest

# Specific version tag (release.yml)
cosign verify \
  --certificate-identity="https://github.com/devakesu/GhostClass/.github/workflows/release.yml@refs/tags/vX.Y.Z" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/devakesu/ghostclass:vX.Y.Z

Add signature verification to your deployment script:

#!/bin/bash
set -euo pipefail

IMAGE="ghcr.io/devakesu/ghostclass:latest"

echo "Verifying image signature..."
cosign verify \
  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  "${IMAGE}"

echo "✓ Signature verified - deploying..."
docker pull "${IMAGE}"

View build attestations:

# View provenance
gh attestation verify oci://ghcr.io/devakesu/ghostclass:latest \
  --owner devakesu

# View SBOM
gh attestation verify oci://ghcr.io/devakesu/ghostclass:latest \
  --owner devakesu \
  --signer-repo devakesu/GhostClass

Or browse attestations on GitHub:

https://github.com/devakesu/GhostClass/attestations

View build provenance and security information directly in your browser:

Live Deployment: Visit /build-info on any running instance to see:

• Build ID with links to GitHub Actions workflow runs
• Commit SHA and deployment timestamp
• Security audit status (Trivy scan results)
• SLSA attestation status and links
• Direct links to source code, build logs, and attestations

Footer Link: Click the "verified" badge in the footer to access build transparency information.

The web interface provides a user-friendly way to verify build provenance without requiring command-line tools, making security information accessible to all users.

Before deploying to production:

• All required environment variables are set
• Database RLS policies are enabled
• Docker image signature verified
• HTTPS is enforced
• Secure headers configured

• Origin validation enabled
• Rate limiting configured (Upstash Redis)
• Circuit breaker thresholds set appropriately
• Cloudflare Turnstile enabled
• CSRF protection enabled

• Sentry error tracking configured
• Security event logging enabled
• Health check endpoint accessible
• Vulnerability scanning in CI/CD

• Container behind reverse proxy/firewall
• No direct external access to container
• Internal network isolation
• TLS certificates valid

• Never commit secrets or API keys
• Use environment variables for sensitive data
• Follow secure coding practices
• Report security issues privately
• Keep dependencies updated

• Use verified Docker images only
• Keep container runtime updated
• Monitor security advisories
• Implement proper network segmentation
• Enable all security features before production

GhostClass participates in:

• OpenSSF Scorecard - Automated security best practices checking
• Dependabot - Automated dependency vulnerability scanning
• Trivy - Container image vulnerability scanning
• Sentry - Real-time error tracking and monitoring

View our security score:

• SLSA Framework: https://slsa.dev
• Sigstore Project: https://sigstore.dev
• OpenSSF Scorecard: https://scorecard.dev
• GitHub Security: https://docs.github.com/en/code-security

For development setup and contribution guidelines, see CONTRIBUTING.md.