quasar/SECURITY.md

# Security Policy

## Reporting Security Vulnerabilities

If you discover a security vulnerability in Quasar, please email security@quasar.local with:

- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We'll acknowledge your report within 48 hours and work on a fix.

## Environment Variables & Secrets

**IMPORTANT:** Never commit `.env` files to the repository.

### Sensitive Variables

- `IGDB_CLIENT_ID`, `IGDB_CLIENT_SECRET` — Twitch OAuth credentials
- `RAWG_API_KEY` — RAWG API key (rate limited)
- `THEGAMESDB_API_KEY` — TheGamesDB key
- `DATABASE_URL` — SQLite file path (contains password if using remote DB)

### Best Practices

1. Use `.env.local` or `.env.{NODE_ENV}.local` for local development
2. Never log or print secrets
3. Use GitHub/Gitea Secrets for CI/CD pipelines
4. Rotate keys regularly
5. Use separate keys for development, staging, production

## Input Validation & Sanitization

All user inputs are validated using **Zod** schemas:

- Backend: `src/validators/*.ts` define strict schemas
- Frontend: React Hook Form + Zod validation
- Game titles, ROM file paths, and user uploads are sanitized

## Rate Limiting

API calls to metadata services are rate-limited:

- IGDB: 4 requests/second
- RAWG: 20 requests/second (free tier)
- TheGamesDB: 1 request/second

## Database Security

SQLite is used for MVP. For production:

- Consider PostgreSQL or MySQL
- Enable encrypted connections (SSL/TLS)
- Use connection pooling (current: Prisma with pool settings)
- Regular backups

## CORS & CSP

Configure appropriate CORS headers in backend:

- Frontend origin: `http://localhost:3000` (dev), `https://yourdomain.com` (prod)
- Content Security Policy headers recommended for production

## Changelog

- v1.0.0 (2026-02-12): Initial security guidelines