If you discover a security vulnerability in SentinelView, please report it responsibly:
- Do not open a public GitHub issue for security-sensitive reports.
- Use GitHub Security Advisories ("Report a vulnerability") to disclose privately.
- Include reproduction steps, affected versions, and impact assessment.
You can expect an acknowledgment within a few days. Please allow reasonable time for a fix before any public disclosure.
This is a demonstration / portfolio project. It intentionally ships without authentication and uses an in-memory data store. It is not intended for production deployment as-is. Reports about the absence of authentication or persistence are out of scope (these are documented design choices — see the roadmap in the README).
In scope:
- Injection vulnerabilities (XSS, CSV/formula injection, command injection)
- Input-validation bypasses on REST endpoints or socket events
- Denial-of-service vectors (unbounded input, resource exhaustion)
- Dependency vulnerabilities with a practical exploit path
- Information disclosure (stack traces, secrets, internal details)
The following controls are implemented in the codebase:
- helmet sets secure HTTP response headers.
x-powered-bydisabled to avoid framework fingerprinting.- CORS allowlist — only explicitly configured origins are permitted; the
wildcard origin
*is rejected at startup.
- Per-IP rate limiting on
/api(configurable viaRATE_LIMIT_MAX). - JSON body size cap (
10kb) on REST requests. - Socket.io payload cap (
maxHttpBufferSize1 MB) to limit memory abuse. - Query
limitclamping (1–500) on log retrieval.
- Alert IDs validated against a UUID-safe character set and length cap.
- Alert status validated against a fixed enum.
- All validators are pure functions with dedicated unit tests.
- CSV formula-injection defense: exported cells beginning with
=,+,-,@, tab, or carriage return are prefixed with a single quote so spreadsheet software treats them as text, never as executable formulas. - RFC 4180 quoting for commas, quotes, and newlines.
- Centralized Express error handler returns generic messages and never leaks stack traces to clients.
- Startup environment validation (
config.ts): invalidPORT,ALLOWED_ORIGINS, orRATE_LIMIT_MAXcause the process to exit with a clear error rather than running in a misconfigured state. - No secrets in source. Configuration is supplied via environment
variables;
.envis git-ignored and only.env.exampleis committed.
- Dependencies pinned to exact versions for reproducible installs.
- CodeQL static analysis (
security-and-qualityqueries) on every PR and weekly. - gitleaks scans full git history for committed secrets.
npm auditruns in CI and fails on high-severity production advisories.- Dependabot opens weekly update PRs for npm packages and GitHub Actions.
- esbuild dev-server advisory (GHSA-67mh-4wv8-2f99, moderate): present via the Vite 5 toolchain. It affects only the local development server (not production builds or the deployed artifact) and is remediated only by a Vite major-version upgrade, which is deferred to avoid breaking the build. Tracked for a future upgrade.
No secrets are committed to this repository. The threat-intelligence feeds used
(Feodo Tracker, URLhaus, CISA KEV) are public and require no API keys. If
you add an authenticated feed or service, store its credentials in environment
variables (never in source) and add them to .env.example as documented,
empty placeholders.