Skip to content

Security: wezzcoetzee/moving-average-bot

Security

docs/SECURITY.md

Security

Threat Model

Single-user application running on a private server. Not exposed to the public internet. No multi-tenant concerns.

Authentication

None. All API routes are open. The only exception is /api/cron, which requires a CRON_SECRET bearer token in the Authorization header.

Private Key Encryption

Private keys are encrypted at rest using AES-256-GCM:

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key: 32-byte key from ENCRYPTION_KEY env var (64 hex chars)
  • Storage: Bot.encryptedKey field in database
  • Decryption: Only at runtime via decrypt() in lib/encryption.ts
  • Derivation: Wallet address derived from decrypted key via privateKeyToAccount (viem)

Environment Variables

Sensitive values that must be protected:

  • ENCRYPTION_KEY — master encryption key
  • DATABASE_URL — database connection string
  • CRON_SECRET — cron endpoint auth
  • CRON_ALERT_WEBHOOK_URL — optional Discord webhook for cron failure alerts

Per-bot Discord webhook URLs are stored in the bots.discord_webhook_url column (not an env var).

What's Not Needed

  • CORS: Not a public API
  • CSRF: No browser-based auth sessions
  • Rate limiting: Single user
  • Input sanitization for XSS: API-only interactions, no user-generated HTML rendering

There aren't any published security advisories