Tendly implements comprehensive security measures to protect user data and prevent abuse. This document outlines the security features, implementation details, and best practices.

Database Level:

• IP-based rate limiting with configurable windows
• Different limits for different actions:
  • Create drop: 3 requests per 10 minutes
  • Add item: 10 requests per 5 minutes
  • Update content: 5 requests per 5 minutes
  • Read content: 50 requests per minute
  • Upload file: 5 uploads per 10 minutes

Client Level:

• Client-side rate limiting using in-memory tracking
• Automatic cleanup of expired rate limit records

Size Limits:

• Text content: Maximum 10KB
• File uploads: Maximum 10MB

Pattern Detection:

• XSS pattern detection and removal
• Excessive URL detection (spam prevention)
• Special character ratio validation
• Suspicious content pattern detection

Sanitization:

• Automatic removal of dangerous HTML/JavaScript patterns
• Content trimming and normalization

Secure Session Tokens:

• 32-byte cryptographically secure tokens
• SHA-256 hashed storage in database
• 24-hour expiration
• IP and user agent tracking

Client Storage:

• LocalStorage with expiration tracking
• Automatic cleanup of expired tokens

Enhanced Policies:

• Rate limiting checks in RLS policies
• IP address validation
• Session token validation
• Content size validation

Tables:

• rate_limits: Track rate limiting per IP and action
• session_tokens: Store hashed session tokens
• Enhanced drops and drop_items with security columns

Functions:

• secure_create_drop: Create drops with validation
• secure_add_drop_item: Add items with security checks
• secure_update_drop_item: Update content securely
• check_rate_limit: Rate limiting validation
• validate_content: Content validation and sanitization
• generate_session_token: Secure token generation
• validate_session_token: Token validation
• cleanup_expired_data: Automatic cleanup
• log_security_event: Security event logging

Security Utilities:

• Content validation before submission
• Rate limiting on client side
• Session token management
• Security error handling
• IP address detection

Security Monitor Component:

• Real-time security status display
• Error handling with retry mechanisms
• Rate limit countdown timers
• Security event logging

The security improvements are implemented in supabase/migrations/20250127000000-security-improvements.sql:

-- Rate limiting table
CREATE TABLE rate_limits (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    ip_address INET NOT NULL,
    action_type TEXT NOT NULL,
    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
    request_count INTEGER DEFAULT 1,
    UNIQUE(ip_address, action_type)
);

-- Session tokens table
CREATE TABLE session_tokens (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
    token_hash TEXT NOT NULL UNIQUE,
    drop_id UUID REFERENCES drops(id) ON DELETE CASCADE,
    ip_address INET NOT NULL,
    user_agent TEXT,
    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
    is_active BOOLEAN DEFAULT true
);

Located in src/utils/security.ts:

// Rate limiting
export class RateLimiter {
  private requests: Map<string, number[]> = new Map();
  
  isAllowed(key: string): boolean {
    // Implementation details
  }
}

// Content validation
export const validateContent = (content: string, type: 'text' | 'file' = 'text'): { valid: boolean; error?: string } => {
  // Size and pattern validation
}

// Session management
export const storeSessionToken = (dropId: string, token: string): void => {
  // Secure token storage
}

Located in src/components/SecurityMonitor.tsx:

export const SecurityMonitor: React.FC<SecurityMonitorProps> = ({
  error,
  onRetry,
  showStatus = false
}) => {
  // Security status display and error handling
}

• Always validate content size and patterns
• Sanitize user input before processing
• Use parameterized queries to prevent SQL injection

• Implement both client and server-side rate limiting
• Use different limits for different actions
• Provide clear feedback when limits are exceeded

• Use cryptographically secure tokens
• Store only hashed tokens in database
• Implement proper expiration and cleanup

• Don't expose sensitive information in error messages
• Log security events for monitoring
• Provide user-friendly error messages

• Validate file types and sizes
• Scan for malicious patterns
• Implement proper content sanitization

The system logs various security events:

• create_drop_failed: Failed drop creation attempts
• add_item_failed: Failed item addition attempts
• drop_created: Successful drop creation
• rate_limit_exceeded: Rate limit violations
• suspicious_content: Detected suspicious content

{
  event_type: string,
  ip_address: string,
  details: {
    error?: any,
    dropId?: string,
    shareCode?: string,
    itemType?: string
  }
}

Located in src/utils/security.ts:

export const SECURITY_CONFIG: SecurityConfig = {
  maxTextSize: 10, // 10KB
  maxFileSize: 10, // 10MB
  rateLimitWindow: 15, // 15 minutes
  sessionTokenExpiry: 24, // 24 hours
};

export const rateLimiters = {
  createDrop: new RateLimiter(3, 10 * 60 * 1000), // 3 requests per 10 minutes
  addItem: new RateLimiter(10, 5 * 60 * 1000), // 10 requests per 5 minutes
  updateContent: new RateLimiter(5, 5 * 60 * 1000), // 5 requests per 5 minutes
  readContent: new RateLimiter(50, 60 * 1000), // 50 requests per minute
  uploadFile: new RateLimiter(5, 10 * 60 * 1000) // 5 uploads per 10 minutes
};

// Test rate limiting
for (let i = 0; i < 5; i++) {
  const result = await createTextDrop("Test content");
  if (i < 3) {
    expect(result).toBeTruthy();
  } else {
    expect(result).toBeNull();
  }
}

// Test content validation
const largeContent = "x".repeat(11 * 1024); // 11KB
const result = await createTextDrop(largeContent);
expect(result).toBeNull();

// Test session token validation
const token = getSessionToken(dropId);
expect(token).toBeTruthy();
expect(validateSessionToken(token, dropId)).toBe(true);

• No user accounts or persistent data
• Content expires automatically
• IP addresses are logged for security only

• Client-side encryption using Web Crypto API
• AES-256-GCM encryption with PBKDF2 key derivation
• Salt-based encryption for files

• GDPR compliant (no personal data collection)
• No tracking or analytics
• Automatic data cleanup

1. Advanced Threat Detection

   • Machine learning-based content analysis
   • Behavioral analysis for suspicious patterns

2. Enhanced Monitoring

   • Real-time security dashboard
   • Automated threat response

3. Additional Validation

   • File type validation
   • Virus scanning integration
   • Content reputation checking

4. Rate Limiting Improvements

   • Adaptive rate limiting
   • Geographic-based limits
   • User behavior analysis

For security-related issues or questions, please contact the development team or create an issue in the repository.

Version: 1.1.0
Last Updated: January 27, 2025
Security Level: Enterprise Grade