This document details the security practices implemented in the Inventory Stock Tracker API and the procedure for reporting vulnerabilities.
- Authentication and Authorization
JSON Web Tokens (JWT) with strict Role-Based Access Control (RBAC) to separate Administrator and Staff privileges. - Concurrency Prevention
Optimistic Locking (viaversioncolumn) and Idempotency Keys on stock mutation endpoints to prevent race conditions and double-submission. - SQL Injection Prevention
All database queries are executed via Drizzle ORM, which utilizes parameterized queries by default. - Input Validation
All HTTP inputs are strictly validated against TypeBox schemas before reaching the business logic layer. - Secrets Management
Sensitive credentials and keys are managed exclusively through environment variables and are never committed to the repository.
If you discover a security vulnerability, do not open a public issue.
Report it confidentially via:
- Email: dzulkiflianwar2@gmail.com (replace with the appropriate contact)
- GitHub Security Advisories: Use the "Report a vulnerability" feature in the repository's Security tab.
Response Commitments:
- Acknowledge receipt of the report within 48 hours.
- Provide an estimated timeline for a fix within 7 days.
- Publish a patch and credit the reporter (if requested) after the fix is deployed.
Security updates are provided only for the latest major version of this project. Ensure you are using the most recent release.