Skip to content

Security: AdamJ/TimeTrackerPro

Security

docs/SECURITY.md

πŸ”’ Security Checklist

βœ… Environment Variables Security

Current Security Status

  • βœ… .env removed from Git tracking
  • βœ… .env added to .gitignore
  • βœ… .env.example provides template with instructions
  • βœ… README.md includes security warnings

πŸ” Before Publishing to GitHub

MANDATORY SECURITY CHECKS:

  1. Verify .env is NOT tracked:

    git ls-files | grep -E '\.env$'
# Should return NO results (only .env.example should exist)

  2. Confirm .gitignore includes .env:

    grep -E '\.env' .gitignore
# Should show .env patterns

  3. Check for accidental commits:

    git log --all --full-history -- .env
# If this shows results, see "🚨 If .env Was Already Committed" below

🚨 If .env Was Already Committed (URGENT)

If your .env file with real credentials was ever committed to a repository:

  1. Immediately rotate your Supabase keys:

    • Go to Supabase Dashboard > Settings > API
    • Reset your anon key
    • Update your local .env with new keys

  2. Remove from Git history (if repository is private):

    git filter-branch --force --index-filter \
  'git rm --cached --ignore-unmatch .env' \
  --prune-empty --tag-name-filter cat -- --all

  3. For public repositories:

    • Create a new Supabase project
    • Update all your environment variables
    • Consider the old keys compromised

πŸ›‘οΈ Additional Security Measures

Row Level Security (RLS)

  • βœ… All Supabase tables have RLS enabled
  • βœ… Users can only access their own data
  • βœ… Anonymous users cannot access authenticated data

Environment Variable Validation

// In src/lib/supabase.ts
if (!SUPABASE_URL || !SUPABASE_ANON_KEY) {
  console.warn('Supabase env vars not found. Supabase sync will be disabled.');
}

πŸ” Production Deployment Security

For Vercel/Netlify

  1. Set environment variables in dashboard (not in code)
  2. Use different Supabase project for production
  3. Never use development keys in production

For Docker/Self-Hosted

  1. Use Docker secrets or environment files
  2. Never include .env in Docker images
  3. Use build-time arguments for public variables only

πŸ“‹ Pre-Deployment Checklist

  • .env is in .gitignore
  • .env is not tracked by Git
  • No credentials hardcoded in source files
  • .env.example has dummy values only
  • Production uses separate Supabase project
  • RLS policies are properly configured
  • Environment variables set in deployment platform

πŸš€ Safe Publishing Commands

# Final check before pushing
git status
git ls-files | grep -E '\.env$'  # Should be empty

# Safe to push
git add .
git commit -m "feat: add authentication and database integration"
git push origin main

πŸ“ž Emergency Response

If credentials are accidentally exposed:

  1. Immediately rotate Supabase keys
  2. Check repository access logs
  3. Monitor Supabase usage for unusual activity
  4. Consider creating new Supabase project if exposure was public

Remember: It's always better to be overly cautious with credentials than to deal with a security incident later!

There aren’t any published security advisories