If you discover a security vulnerability, please email security@devutils.in instead of using the issue tracker.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide updates on our progress.
- Never commit API keys to version control
- Use environment variables for API keys
- Rotate keys regularly (every 90 days)
- Use separate keys for development and production
- Restrict key permissions to minimum required
// ✓ Good
const apiKey = process.env.DEVUTILS_API_KEY;
const sdk = new DevUtilsSDK(apiKey);
// ✗ Bad
const sdk = new DevUtilsSDK("du_prod_abc123...");Always use HTTPS for API calls. The SDK enforces this by default.
// ✓ Good - HTTPS enforced
const sdk = new DevUtilsSDK("api-key");
// ✗ Bad - HTTP not supported
const sdk = new DevUtilsSDK("api-key", {
baseUrl: "http://api.devutils.in", // Will fail
});Validate and sanitize user input before passing to SDK:
// ✓ Good
function validateUrl(url: string): boolean {
try {
new URL(url);
return true;
} catch {
return false;
}
}
const url = userInput;
if (validateUrl(url)) {
const result = await sdk.screenshot({ url });
}
// ✗ Bad - No validation
const result = await sdk.screenshot({ url: userInput });Don't expose sensitive information in error messages:
// ✓ Good
try {
const result = await sdk.screenshot({ url });
} catch (error) {
console.error("Screenshot failed");
// Log full error internally only
logger.error(error);
}
// ✗ Bad - Exposes API key
try {
const result = await sdk.screenshot({ url });
} catch (error) {
console.error("Error:", error.message); // May contain API key
}Implement rate limiting to prevent abuse:
// ✓ Good - Rate limited
const limiter = new RateLimiter({ maxRequests: 10, windowMs: 60000 });
async function screenshot(url: string) {
await limiter.acquire();
return sdk.screenshot({ url });
}For browser usage, configure CORS properly:
// ✓ Good - Specific origin
const corsOptions = {
origin: "https://yourdomain.com",
credentials: true,
};
// ✗ Bad - Allow all origins
const corsOptions = {
origin: "*",
};Keep dependencies up to date:
# Check for vulnerabilities
npm audit
# Fix vulnerabilities
npm audit fix
# Update dependencies
npm update- Don't log sensitive data - URLs, API keys, user data
- Use HTTPS - Encrypt data in transit
- Implement access control - Restrict who can use the SDK
- Audit logs - Track API usage
- Data retention - Delete data when no longer needed
When using the CDN SDK in browsers:
<!-- ✓ Good - Use backend proxy -->
<script>
fetch("/api/screenshot", {
method: "POST",
body: JSON.stringify({ url: "https://example.com" }),
});
</script>
<!-- ✗ Bad - Exposes API key in frontend -->
<script src="https://cdn.devutils.in/latest/sdk.min.js"></script>
<script>
const sdk = new DevUtilsSDK("du_prod_abc123..."); // Exposed!
</script>We release security updates as soon as possible. Subscribe to:
DevUtils SDKs comply with:
- OWASP Top 10 - Security best practices
- GDPR - Data protection regulations
- SOC 2 - Security controls
- ISO 27001 - Information security
We regularly audit third-party dependencies for vulnerabilities:
# Check dependency vulnerabilities
npm audit
# View detailed report
npm audit --jsonWe appreciate responsible disclosure of security issues. Please:
- Don't publicly disclose vulnerabilities before we can fix them
- Give us time to develop and release a fix
- Work with us to understand and resolve the issue
- Accept credit for responsible disclosure
Before deploying to production:
- API keys stored in environment variables
- HTTPS enabled for all API calls
- Input validation implemented
- Error handling doesn't expose sensitive data
- Rate limiting configured
- CORS properly configured
- Dependencies up to date
- Security headers configured
- Logging doesn't contain sensitive data
- Access control implemented
- Security Issues: security@devutils.in
- General Support: support@devutils.in
- GitHub Issues: Report Bug
Last updated: 2024-04-18