Security Policy

Supported Versions

Security updates are provided for the following versions:

Version	Supported	Python Version
0.1.x	✓ Yes	3.12 - 3.16

Security Features

• AES & RSA Encryption: Secure data encryption utilities
• Password Hashing: PBKDF2-based secure password hashing
• HMAC Signatures: Message authentication
• CORS Protection: Configurable CORS middleware
• Input Validation: Pydantic-based request validation
• SQL Injection Protection: ORM-based queries prevent SQL injection
• XSS Protection: Automatic HTML escaping in templates
• JWT Authentication: Token-based authentication
• CSRF Protection: Cross-Site Request Forgery protection

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, please send an email to:

security@vayuapi.dev

Report Information

Please include the following information:

• Type of vulnerability
• Full paths of source file(s) related to the issue
• Location of the affected source code
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue

Response Timeline

1. Report Received: We acknowledge receipt within 48 hours
2. Investigation: We investigate and validate the report
3. Fix Development: A patch is developed and tested
4. Security Advisory: We publish a security advisory
5. Release: A new version is released with the fix
6. Notification: Users are notified through GitHub and security advisories

Common Vulnerabilities & Prevention

SQL Injection

Prevention: Use ORM-based queries instead of raw SQL strings.

# ✓ Good - Safe with ORM
user = await User.get(id=user_id)

# ✗ Bad - Vulnerable to SQL injection
user = await db.execute(f"SELECT * FROM users WHERE id={user_id}")

Cross-Site Scripting (XSS)

Prevention: Always escape user input and use Pydantic validation.

# ✓ Good - HTML escaped automatically
class Comment(BaseModel):
    text: str

# ✗ Bad - Could contain malicious scripts
raw_comment = request.query_params.get("comment")

Cross-Site Request Forgery (CSRF)

Prevention: Implement CSRF tokens and use proper HTTP methods.

from vayuapi.security import CSRFProtection

csrf = CSRFProtection(app)

@app.post("/submit")
async def submit_form(request):
    csrf.validate(request)
    # Process form

Insecure Deserialization

Prevention: Always use Pydantic models, never pickle untrusted data.

# ✓ Good - Type-safe deserialization
data = User.parse_obj(json_data)

# ✗ Bad - Vulnerable
data = pickle.loads(untrusted_bytes)

Best Practices for Users

1. Keep Dependencies Updated

pip install --upgrade vayuapi
pip install safety
safety check

2. Use Environment Variables for Secrets

import os

# ✓ Good - Use environment variables
api_key = os.getenv("OPENAI_API_KEY")
db_password = os.getenv("DB_PASSWORD")

# ✗ Bad - Hardcoded secrets
api_key = "sk-1234567890abcdef"

3. Enable Security Features

from vayuapi import VayuAPI

app = VayuAPI(
    debug=False,  # Always False in production
    cors_enabled=True,
    allowed_origins=["https://example.com"],  # Specific origins
)

4. Use HTTPS/TLS

uvicorn main:app \
  --ssl-keyfile key.pem \
  --ssl-certfile cert.pem

5. Input Validation

from pydantic import BaseModel, EmailStr

class User(BaseModel):
    name: str
    email: EmailStr
    age: int

# Pydantic automatically validates

6. Implement Rate Limiting

from slowapi import Limiter

limiter = Limiter()

@app.get("/api/endpoint")
@limiter.limit("5/minute")
async def limited_endpoint():
    return {"status": "ok"}

7. Use Parameterized Queries

# ✓ Good - ORM handles escaping
user = await User.get(id=user_id)

# ✗ Bad - SQL injection risk
query = f"SELECT * FROM users WHERE id={user_id}"

8. Implement Authentication & Authorization

from vayuapi.security import verify_token

@app.get("/protected")
async def protected_route(token: str = Depends(verify_token)):
    return {"message": "Protected resource"}

9. Monitor and Log Security Events

import logging

logger = logging.getLogger(__name__)

@app.post("/login")
async def login(username: str, password: str):
    logger.warning(f"Login attempt: {username}")
    # Process login

10. Regular Security Audits

pip install bandit
bandit -r . # Scan for security issues

Encryption Examples

AES Encryption

from vayuapi.security import AESEncryption

cipher = AESEncryption()
plaintext = "sensitive data"
encrypted = cipher.encrypt(plaintext)
decrypted = cipher.decrypt(encrypted)

assert plaintext == decrypted

Password Hashing

from vayuapi.security import hash_password, verify_password

password = "my_secure_password"
hashed = hash_password(password)

# Verify password
is_valid = verify_password(password, hashed)

Security Resources

• OWASP Top 10
• OWASP Cheat Sheets
• Bandit Security Linter
• Safety Dependency Checker

Need Help?

For security-related questions, please:

• Email security@vayuapi.dev for vulnerability reports
• Check our GitHub Security Advisories
• Review the Deployment Guide for production recommendations