Studyrix is a public, read‑only study materials platform. Security priorities focus on protecting API keys, preventing abuse, and avoiding data exposure.

Please report security issues privately.

Preferred method:

• Open a private security advisory on the GitHub repository.

Do not open public issues for vulnerabilities.

Only the latest main branch is supported for security fixes.

Assumptions:

• Public access
• No authentication
• Read‑only data flows
• Community‑sourced content

Primary risks:

• API key leakage
• Drive proxy abuse
• Excessive data exposure
• XSS/injection
• Quota exhaustion

• Supabase anon key only, no service‑role keys.
• Drive IDs are validated and rate limited server‑side.
• Rate limiting for Drive endpoints and search.
• CSP headers applied in middleware.
• No dangerouslySetInnerHTML usage.

These are required in production and cannot be enforced only by code:

• Supabase RLS enabled and SELECT‑only policies on courseRecords.
• Google Drive API key restricted by HTTP referrer and API scope.
• Daily quotas set for Google Drive API.

• Keep secrets out of Git.
• Use .env.local locally.
• Avoid logging keys or IDs in client output.

• Verify Drive ID validation rejects malformed IDs.
• Verify CSP blocks inline scripts.
• Confirm rate limiting returns 429 under abuse.
• Verify no PII is available via API routes.

We aim to acknowledge within 72 hours and ship fixes as fast as possible. Timing may vary based on severity and deployment constraints.