quasar/SECURITY.md

Security Policy

Reporting Security Vulnerabilities

If you discover a security vulnerability in Quasar, please email security@quasar.local with:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We'll acknowledge your report within 48 hours and work on a fix.

Environment Variables & Secrets

IMPORTANT: Never commit .env files to the repository.

Sensitive Variables

• IGDB_CLIENT_ID, IGDB_CLIENT_SECRET — Twitch OAuth credentials
• RAWG_API_KEY — RAWG API key (rate limited)
• THEGAMESDB_API_KEY — TheGamesDB key
• DATABASE_URL — SQLite file path (contains password if using remote DB)

Best Practices

1. Use .env.local or .env.{NODE_ENV}.local for local development
2. Never log or print secrets
3. Use GitHub/Gitea Secrets for CI/CD pipelines
4. Rotate keys regularly
5. Use separate keys for development, staging, production

Input Validation & Sanitization

All user inputs are validated using Zod schemas:

• Backend: src/validators/*.ts define strict schemas
• Frontend: React Hook Form + Zod validation
• Game titles, ROM file paths, and user uploads are sanitized

Rate Limiting

API calls to metadata services are rate-limited:

• IGDB: 4 requests/second
• RAWG: 20 requests/second (free tier)
• TheGamesDB: 1 request/second

Database Security

SQLite is used for MVP. For production:

• Consider PostgreSQL or MySQL
• Enable encrypted connections (SSL/TLS)
• Use connection pooling (current: Prisma with pool settings)
• Regular backups

CORS & CSP

Configure appropriate CORS headers in backend:

• Frontend origin: http://localhost:3000 (dev), https://yourdomain.com (prod)
• Content Security Policy headers recommended for production

Changelog

• v1.0.0 (2026-02-12): Initial security guidelines