mirror of
https://github.com/pacnpal/thrillwiki_django_no_react.git
synced 2025-12-24 09:51:09 -05:00
2e35f8c5d9
- Added migration to convert unique_together constraints to UniqueConstraint for RideModel. - Introduced RideFormMixin for handling entity suggestions in ride forms. - Created comprehensive code standards documentation outlining formatting, docstring requirements, complexity guidelines, and testing requirements. - Established error handling guidelines with a structured exception hierarchy and best practices for API and view error handling. - Documented view pattern guidelines, emphasizing the use of CBVs, FBVs, and ViewSets with examples. - Implemented a benchmarking script for query performance analysis and optimization. - Developed security documentation detailing measures, configurations, and a security checklist. - Compiled a database optimization guide covering indexing strategies, query optimization patterns, and computed fields.
84 lines
2.3 KiB
Markdown
84 lines
2.3 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| latest | :white_check_mark: |
|
|
| < latest | :x: |
|
|
|
|
Only the latest version of ThrillWiki receives security updates.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
|
|
|
|
### How to Report
|
|
|
|
1. **Do not** create a public GitHub issue for security vulnerabilities
|
|
2. Email your report to the project maintainers
|
|
3. Include as much detail as possible:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Affected versions
|
|
- Any proof of concept (if available)
|
|
|
|
### What to Expect
|
|
|
|
- **Acknowledgment**: We will acknowledge receipt within 48 hours
|
|
- **Assessment**: We will assess the vulnerability and its impact
|
|
- **Updates**: We will keep you informed of our progress
|
|
- **Resolution**: We aim to resolve critical vulnerabilities within 7 days
|
|
- **Credit**: With your permission, we will credit you in our security advisories
|
|
|
|
### Scope
|
|
|
|
The following are in scope for security reports:
|
|
|
|
- ThrillWiki web application vulnerabilities
|
|
- Authentication and authorization issues
|
|
- Data exposure vulnerabilities
|
|
- Injection vulnerabilities (SQL, XSS, etc.)
|
|
- CSRF vulnerabilities
|
|
- Server-side request forgery (SSRF)
|
|
- Insecure direct object references
|
|
|
|
### Out of Scope
|
|
|
|
The following are out of scope:
|
|
|
|
- Denial of service attacks
|
|
- Social engineering attacks
|
|
- Physical security issues
|
|
- Issues in third-party applications or services
|
|
- Issues requiring physical access to a user's device
|
|
- Vulnerabilities in outdated versions
|
|
|
|
## Security Measures
|
|
|
|
ThrillWiki implements the following security measures:
|
|
|
|
- HTTPS enforcement with HSTS
|
|
- Content Security Policy
|
|
- XSS protection with input sanitization
|
|
- CSRF protection
|
|
- SQL injection prevention via ORM
|
|
- Rate limiting on authentication endpoints
|
|
- Secure session management
|
|
- JWT token rotation and blacklisting
|
|
|
|
For more details, see [docs/SECURITY.md](../docs/SECURITY.md).
|
|
|
|
## Security Updates
|
|
|
|
Security updates are released as soon as possible after a vulnerability is confirmed. We recommend:
|
|
|
|
1. Keep your installation up to date
|
|
2. Subscribe to release notifications
|
|
3. Review security advisories
|
|
|
|
## Contact
|
|
|
|
For security-related inquiries, please contact the project maintainers.
|