EasyPrompt follows a defense-in-depth approach:
- Row-Level Security (RLS) on all user data
- Owner-scoped access using
auth.uid() - Server-side secrets only
- Zod validation on all inputs
- Server Actions and authenticated API routes for mutations
- Strict security headers on every route
- Service-role key isolated to server-only validated writes
- RLS enabled on all tables
- Access restricted to resource owners
- Authorization enforced at both the database and application layers
- Supabase Authentication
- Email verification support
- User enumeration protection
- Leaked password protection should be enabled in Supabase Auth settings; the security advisor must be checked after auth changes
- No authorization decisions from
user_metadata
user_metadatais user-controlled and is never used for roles, ownership, Pro status, publishing, or permissions.- Permission sources must be server-controlled: RLS owner rows, signed server claims,
app_metadata, or validated server-only provider checks. - Browser Supabase clients use only
NEXT_PUBLIC_SUPABASE_ANON_KEYplus RLS. SUPABASE_SERVICE_ROLE_KEYis server-only. It is used only after explicit checks, such as signed-code validation plusgetUser()for entitlement redemption.- Entitlement rows are read by owners through RLS, but writes are blocked from normal authenticated clients.
- Publishing writes to
visibilityandshare_sluggo through a narrowSECURITY DEFINERRPC that checksauth.uid(), target kind, owner, id, and allowed visibility values.
- Input validation with Zod
- CSRF protection through Next.js Server Actions
- Rate limiting on sensitive endpoints
- Content Security Policy (CSP)
- X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers
Pro access codes use a stateless, HMAC-signed model. When a user is signed in, redemption binds the
entitlement to the account through a server-only privileged write after the code is validated and the
user is resolved with getUser(). Anonymous redemption is bearer-style and is
intended for low-friction access without account setup. It does not expose user data or weaken account
isolation.
If you discover a security vulnerability, please report it privately:
Please do not open public issues for security reports.