Security Policy
Last updated: January 1, 2025The security of XCASPER SPACE APIs and the developers who use it is important to us. This document outlines our security practices and how to responsibly disclose vulnerabilities.
🔐 Our Security Practices
- Input validation: All API endpoints validate required parameters before processing.
- Output escaping: User-supplied data is HTML-escaped before rendering in the browser UI.
- No persistent storage of request data: API request payloads are processed in memory only and not written to disk.
- Structured error responses: Internal stack traces are never exposed in API responses — only safe error messages are returned.
- HTTPS only: All production deployments are served over HTTPS via platform-managed TLS.
⚠️ Known Limitations
- This platform is designed for development and demonstration use. Production deployments handling sensitive data should add additional authentication layers.
- There is no built-in API key authentication — endpoints are publicly accessible by default.
- Rate limiting is not enforced at the application level; rely on platform-level controls (Vercel, Heroku, etc.).
🐛 Reporting a Vulnerability
If you discover a security vulnerability in XCASPER SPACE APIs, please disclose it responsibly. We ask that you:
- Do not publicly disclose the vulnerability before it is patched
- Do not use the vulnerability to access, modify, or delete data
- Provide enough detail to reproduce and understand the issue
To report a vulnerability, open a private security advisory on our GitHub repository, or contact us directly through GitHub.
⏱️ Response Timeline
- Acknowledgement: Within 48 hours of report
- Initial assessment: Within 5 business days
- Patch or mitigation: Within 30 days for critical issues
🙏 Responsible Disclosure
We appreciate security researchers who take the time to responsibly disclose issues. Valid reports that lead to a fix will be acknowledged in our Acknowledgements page (with your permission).