If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue
- Email the maintainer directly with details of the vulnerability
- Include steps to reproduce, potential impact, and any suggested fixes
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation plan within 7 days.
This policy covers the BuildGuard Admin frontend application. The backend API is maintained separately and has its own security policy.
- Authentication — JWT tokens stored in localStorage; sessions are validated on each route navigation
- API communication — all API requests go through
/bqiproxy; HTTPS enforced in production viaVITE_REQUIRE_SECURE_API - Environment variables — secrets (API keys, tokens) must be stored in
.env.localwhich is gitignored - File uploads — handled via Tencent COS; no direct server-side file processing in this frontend
- Never commit
.env.local, credentials, or API keys - Use the centralized API layer (
src/lib/api.ts) for all requests — it handles auth headers and token management - Validate user inputs at system boundaries
- Follow the permission system (
PermissionGate,useCurrentUserPermissions) for access control