Skip to content

Security: Allwell987/Nexus-AI

Security

SECURITY.md

Security Controls

This project includes baseline security controls for API and WebSocket traffic.

Implemented Controls

  • HTTP security headers via Helmet
  • CORS with configurable frontend origin
  • Global and route-specific rate limiting
  • Request body, query, and params schema validation (Zod)
  • Request id propagation via X-Request-Id
  • Sanitized request logging with sensitive query redaction
  • Optional JSON log format for production ingestion
  • WebSocket payload cap, connection-per-IP caps, and message rate guards

Environment Security Checklist

  • Set strong JWT_SECRET in production
  • Set NODE_ENV=production
  • Configure TRUST_PROXY=true only when behind trusted reverse proxy
  • Configure rate-limit env variables based on traffic profile
  • Keep API keys out of logs and version control
  • Restrict Binance API key permissions to minimum required actions

Operational Recommendations

  • Forward X-Request-Id from gateway/load balancer
  • Alert on repeated 401/429 spikes by IP
  • Rotate API credentials regularly
  • Run npm run check in CI on every push/PR
  • Review dependencies and apply security updates frequently

CI/CD Secret Handling

  • All CI secrets (BYBIT_API_KEY, BYBIT_API_SECRET, SUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_KEY, JWT_SECRET, ADMIN_DIAGNOSTICS_TOKEN, OPS_ADMIN_TOKEN) must be stored as encrypted repository secrets and never hardcoded in workflow files
  • READINESS_NOTIFY_WEBHOOK — optional outbound webhook for readiness alerts; keep this secret because the URL itself grants posting access to the channel. Must be an HTTPS endpoint; HTTP endpoints will silently skip delivery. Works with Slack incoming webhooks, Teams connectors, or any endpoint accepting JSON { "text": "..." }
  • CI artifact uploads (setup-control-readiness.json, telemetry-readiness-bundle.json) do not contain credentials; they contain schema check results and flags for ops review. They are safe to retain in GitHub artifacts up to the configured retention window
  • Artifact validation is enforced in CI before upload — artifacts only reach storage if schema contract and readiness values pass (or if the upload step fires under if: always() for incident diagnosis)
  • Do not use SUPABASE_SERVICE_KEY in frontend or browser contexts; it bypasses row-level security

Current Limits (Defaults)

  • Global API requests: 100 / 15 minutes
  • Auth endpoints: 20 / 10 minutes
  • AI analyze endpoints: 20 / 1 minute
  • Telegram send endpoint: 10 / 1 minute
  • Performance analytics endpoints: 60 / 1 minute — configurable via PERF_RATE_LIMIT_MAX and PERF_RATE_LIMIT_WINDOW_MS
  • WebSocket connections per IP: 8
  • WebSocket messages per client: 120 / 10 seconds

There aren't any published security advisories