docs: add security policy and deployment guide
- Add SECURITY.md with vulnerability reporting process - Add comprehensive deployment guide (docs/deployment/index.md) - Generate uv.lock for reproducible builds - Update audit rules to check correct deployment path - Remove Node.js dependency, use Tailwind CLI standalone Resolves audit warnings: - THIRD-DEP-001: Dependency lock file - DOC-SEC-001: Security policy - DOC-OPS-001: Deployment documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
66
SECURITY.md
Normal file
66
SECURITY.md
Normal file
@@ -0,0 +1,66 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 1.x.x | :white_check_mark: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability in this project, please report it responsibly:
|
||||
|
||||
1. **Do not** open a public issue
|
||||
2. Email the security team at: security@wizamart.com
|
||||
3. Include:
|
||||
- Description of the vulnerability
|
||||
- Steps to reproduce
|
||||
- Potential impact
|
||||
- Suggested fix (if any)
|
||||
|
||||
## Response Timeline
|
||||
|
||||
- **Acknowledgment**: Within 48 hours
|
||||
- **Initial Assessment**: Within 5 business days
|
||||
- **Resolution Target**: Within 30 days for critical issues
|
||||
|
||||
## Security Measures
|
||||
|
||||
This application implements the following security measures:
|
||||
|
||||
### Authentication & Authorization
|
||||
- JWT-based authentication with token expiration
|
||||
- Role-based access control (RBAC)
|
||||
- Vendor isolation (multi-tenant security)
|
||||
- Session management with secure cookies
|
||||
|
||||
### Data Protection
|
||||
- Password hashing using bcrypt
|
||||
- API key encryption at rest
|
||||
- HTTPS enforcement in production
|
||||
- Input validation and sanitization
|
||||
|
||||
### API Security
|
||||
- Rate limiting on authentication endpoints
|
||||
- CORS configuration
|
||||
- Request logging and audit trails
|
||||
- SQL injection prevention via ORM
|
||||
|
||||
### Infrastructure
|
||||
- Environment-based configuration
|
||||
- Secrets management (no hardcoded credentials)
|
||||
- Database connection pooling
|
||||
- Error handling without information leakage
|
||||
|
||||
## Security Updates
|
||||
|
||||
Security updates are released as patch versions and announced through:
|
||||
- Release notes
|
||||
- Security advisories (for critical issues)
|
||||
|
||||
## Compliance
|
||||
|
||||
This application is designed with consideration for:
|
||||
- GDPR (data protection)
|
||||
- PCI-DSS awareness (payment handling delegated to processors)
|
||||
- OWASP Top 10 mitigation
|
||||
Reference in New Issue
Block a user