We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take the security of ScriptHammer seriously. If you believe you have found a security vulnerability in ScriptHammer, please report it to us as described below.
- Open a public GitHub issue for security vulnerabilities
- Post about the vulnerability on social media or forums before it's fixed
- Email us at security@scripthammer.com
- Include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: Within 7 days, we will provide an initial assessment of the vulnerability
- Resolution Timeline: We aim to resolve critical vulnerabilities within 30 days
- Disclosure: We will coordinate with you on the disclosure timeline
When using ScriptHammer in production, we recommend:
- Never commit
.envfiles to version control - Use environment-specific configurations
- Rotate secrets regularly
- Use strong, unique passwords for all services
- Keep all dependencies up to date
- Run
pnpm auditregularly to check for known vulnerabilities - Review dependency licenses and security policies
- Use exact versions in production (
pnpm install --frozen-lockfile)
- All user inputs are validated using Zod schemas
- Never trust client-side validation alone
- Sanitize all data before storage
- Use parameterized queries for database operations
- Implement proper session management
- Use secure cookie settings (httpOnly, secure, sameSite)
- Implement rate limiting for authentication endpoints
- Use strong password policies (enforced via Zod schemas)
The application implements a strict CSP in src/app/layout.tsx (via meta tag for static export compatibility):
Current CSP Directives:
default-src 'self'- Only allow resources from same originscript-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://*.google-analytics.com- Scripts from self, inline (for theme init), and Google Analyticsstyle-src 'self' 'unsafe-inline' https://unpkg.com- Styles from self, inline, and unpkg (Leaflet)img-src 'self' data: https: blob:- Images from self, data URIs, HTTPS, and blob URLsfont-src 'self' data:- Fonts from self and data URIsconnect-src 'self' https://www.googleapis.com https://*.google-analytics.com https://tile.openstreetmap.org https://*.tile.openstreetmap.org- API connectionsframe-src 'self' https://www.google.com- Frames from self and Google (reCAPTCHA)object-src 'none'- No plugins (Flash, Java, etc.)base-uri 'self'- Prevent base tag hijackingform-action 'self' https://api.web3forms.com- Form submissions to self and Web3Formsupgrade-insecure-requests- Upgrade HTTP to HTTPS
Security Note: The 'unsafe-eval' directive has been intentionally removed to prevent eval-based XSS attacks. This is a critical security improvement.
- Always use HTTPS in production
- Security headers are configured in
next.config.ts:- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: Restricts access to sensitive browser features
- Run containers with non-root users when possible
- Keep base images updated
- Scan images for vulnerabilities
- Use multi-stage builds to minimize attack surface
- Never include secrets in Docker images
- Implement proper data encryption at rest and in transit
- Follow GDPR/CCPA guidelines for user data
- Implement data retention policies
- Provide data export and deletion capabilities
ScriptHammer includes several built-in security features:
- Comprehensive Zod validation schemas for all forms
- Client and server-side validation
- Protection against common injection attacks
- Sanitization of user inputs
- Global error boundaries to prevent information leakage
- Structured error logging
- User-friendly error messages that don't expose sensitive information
- Service worker with integrity checks
- Secure offline caching strategies
- HTTPS-only PWA installation
- Pre-commit hooks for security checks
- Automated dependency updates via Dependabot
- TypeScript strict mode for type safety
- ESLint security rules
Before deploying to production, ensure:
- All environment variables are properly configured
- Database connections use SSL/TLS
- API endpoints are properly authenticated
- Rate limiting is implemented
- Logging doesn't include sensitive information
- Error messages don't leak system information
- CORS is properly configured
- File uploads are restricted and validated
- Session management is secure
- Regular security audits are scheduled
We use the following tools to maintain security:
- pnpm audit: Checks for known vulnerabilities in dependencies
- Dependabot: Automated dependency updates with security patches
- TypeScript: Type safety to prevent runtime errors
- ESLint: Static code analysis with security rules
- Husky: Pre-commit hooks for security checks
For any security-related questions or concerns, please contact:
- Security Email: security@scripthammer.com
- Project Maintainers: See CONTRIBUTING.md
We appreciate the security research community's efforts in helping keep ScriptHammer and our users safe. Responsible disclosure of vulnerabilities helps us ensure the security and privacy of our users.
Last Updated: February 2026 Version: 1.1.0