Spaces:

Kyou0203
/

test-napi

Paused

App Files Files Community

test-napi / .github /SECURITY.md

Kyou0203

init for HF Space

daa8246 about 2 months ago

preview code

raw

history blame contribute delete

4.04 kB

	# Security Policy

	## Supported Versions

	We provide security updates for the following versions:

	\| Version \| Supported \|
	\| ------- \| ------------------ \|
	\| Latest \| :white_check_mark: \|
	\| Older \| :x: \|

	We strongly recommend that users always use the latest version for the best security and features.

	## Reporting a Vulnerability

	We take security vulnerability reports very seriously. If you discover a security issue, please follow the steps below for responsible disclosure.

	### How to Report

	Do NOT report security vulnerabilities in public GitHub Issues.

	To report a security issue, please use the GitHub Security Advisories tab to "[Open a draft security advisory](https://github.com/QuantumNous/new-api/security/advisories/new)". This is the preferred method as it provides a built-in private communication channel.

	Alternatively, you can report via email:

	- Email: support@quantumnous.com
	- Subject: `[SECURITY] Security Vulnerability Report`

	### What to Include

	To help us understand and resolve the issue more quickly, please include the following information in your report:

	1. Vulnerability Type - Brief description of the vulnerability (e.g., SQL injection, XSS, authentication bypass, etc.)
	2. Affected Component - Affected file paths, endpoints, or functional modules
	3. Reproduction Steps - Detailed steps to reproduce
	4. Impact Assessment - Potential security impact and severity assessment
	5. Proof of Concept - If possible, provide proof of concept code or screenshots (do not test in production environments)
	6. Suggested Fix - If you have a fix suggestion, please provide it
	7. Your Contact Information - So we can communicate with you

	## Response Process

	1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
	2. Initial Assessment: We will complete an initial assessment and communicate with you within 7 days.
	3. Fix Development: Based on the severity of the vulnerability, we will prioritize developing a fix.
	4. Security Advisory: After the fix is released, we will publish a security advisory (if applicable).
	5. Credit: If you wish, we will credit your contribution in the security advisory.

	## Security Best Practices

	When deploying and using New API, we recommend following these security best practices:

	### Deployment Security

	- Use HTTPS: Always serve over HTTPS to ensure transport layer security
	- Firewall Configuration: Only open necessary ports and restrict access to management interfaces
	- Regular Updates: Update to the latest version promptly to receive security patches
	- Environment Isolation: Use separate database and Redis instances in production

	### API Key Security

	- Key Protection: Do not expose API keys in client-side code or public repositories
	- Least Privilege: Create different API keys for different purposes, following the principle of least privilege
	- Regular Rotation: Rotate API keys regularly
	- Monitor Usage: Monitor API key usage and detect anomalies promptly

	### Database Security

	- Strong Passwords: Use strong passwords to protect database access
	- Network Isolation: Database should not be directly exposed to the public internet
	- Regular Backups: Regularly backup the database and verify backup integrity
	- Access Control: Limit database user permissions, following the principle of least privilege

	## Security-Related Configuration

	Please ensure the following security-related environment variables and settings are properly configured:

	- `SESSION_SECRET` - Use a strong random string
	- `SQL_DSN` - Ensure database connection uses secure configuration
	- `REDIS_CONN_STRING` - If using Redis, ensure secure connection

	For detailed configuration instructions, please refer to the project documentation.

	## Disclaimer

	This project is provided "as is" without any express or implied warranty. Users should assess the security risks of using this software in their environment.

	# Security Policy

	## Supported Versions

	We provide security updates for the following versions:

	\| Version \| Supported \|
	\| ------- \| ------------------ \|
	\| Latest \| :white_check_mark: \|
	\| Older \| :x: \|

	We strongly recommend that users always use the latest version for the best security and features.

	## Reporting a Vulnerability

	We take security vulnerability reports very seriously. If you discover a security issue, please follow the steps below for responsible disclosure.

	### How to Report

	Do NOT report security vulnerabilities in public GitHub Issues.

	To report a security issue, please use the GitHub Security Advisories tab to "[Open a draft security advisory](https://github.com/QuantumNous/new-api/security/advisories/new)". This is the preferred method as it provides a built-in private communication channel.

	Alternatively, you can report via email:

	- Email: support@quantumnous.com
	- Subject: `[SECURITY] Security Vulnerability Report`

	### What to Include

	To help us understand and resolve the issue more quickly, please include the following information in your report:

	1. Vulnerability Type - Brief description of the vulnerability (e.g., SQL injection, XSS, authentication bypass, etc.)
	2. Affected Component - Affected file paths, endpoints, or functional modules
	3. Reproduction Steps - Detailed steps to reproduce
	4. Impact Assessment - Potential security impact and severity assessment
	5. Proof of Concept - If possible, provide proof of concept code or screenshots (do not test in production environments)
	6. Suggested Fix - If you have a fix suggestion, please provide it
	7. Your Contact Information - So we can communicate with you

	## Response Process

	1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
	2. Initial Assessment: We will complete an initial assessment and communicate with you within 7 days.
	3. Fix Development: Based on the severity of the vulnerability, we will prioritize developing a fix.
	4. Security Advisory: After the fix is released, we will publish a security advisory (if applicable).
	5. Credit: If you wish, we will credit your contribution in the security advisory.

	## Security Best Practices

	When deploying and using New API, we recommend following these security best practices:

	### Deployment Security

	- Use HTTPS: Always serve over HTTPS to ensure transport layer security
	- Firewall Configuration: Only open necessary ports and restrict access to management interfaces
	- Regular Updates: Update to the latest version promptly to receive security patches
	- Environment Isolation: Use separate database and Redis instances in production

	### API Key Security

	- Key Protection: Do not expose API keys in client-side code or public repositories
	- Least Privilege: Create different API keys for different purposes, following the principle of least privilege
	- Regular Rotation: Rotate API keys regularly
	- Monitor Usage: Monitor API key usage and detect anomalies promptly

	### Database Security

	- Strong Passwords: Use strong passwords to protect database access
	- Network Isolation: Database should not be directly exposed to the public internet
	- Regular Backups: Regularly backup the database and verify backup integrity
	- Access Control: Limit database user permissions, following the principle of least privilege

	## Security-Related Configuration

	Please ensure the following security-related environment variables and settings are properly configured:

	- `SESSION_SECRET` - Use a strong random string
	- `SQL_DSN` - Ensure database connection uses secure configuration
	- `REDIS_CONN_STRING` - If using Redis, ensure secure connection

	For detailed configuration instructions, please refer to the project documentation.

	## Disclaimer

	This project is provided "as is" without any express or implied warranty. Users should assess the security risks of using this software in their environment.