| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability, please send an email to security@humanapi.com.
Please DO NOT:
- Open a public GitHub issue
- Disclose the vulnerability publicly
- Share exploit code
Please DO:
- Email security@humanapi.com
- Include detailed description
- Include reproduction steps
- Suggest a fix (if possible)
We aim to respond within 48 hours to all security reports.
- Initial Report - You report the vulnerability
- Acknowledgment - We acknowledge receipt within 48 hours
- Investigation - We investigate the issue
- Resolution - We fix the vulnerability
- Verification - You verify the fix
- Public Disclosure - We publish security advisory
- Keep API keys secure
- Use environment variables for secrets
- Enable HTTPS in production
- Regularly update dependencies
- Review code before deployment
- Never commit secrets
- Use .env.example for configuration
- Implement rate limiting
- Validate all user inputs
- Use parameterized queries (Prisma handles this)
- Never share API keys
- Rotate keys regularly
- Use different keys for different environments
- Monitor usage for suspicious activity
- JWT-based authentication
- Secure password hashing (bcrypt)
- Token expiration
- Refresh token mechanism
- Rate limiting
- CORS protection
- Input validation (Zod)
- SQL injection prevention (Prisma)
- XSS protection (React)
- HTTPS enforcement
- Sensitive data encryption
- Secure file upload (S3)
- GDPR compliance
- Stripe Connect (PCI compliant)
- Secure payment processing
- Webhook signature verification
We regularly update dependencies to address security vulnerabilities. Use:
npm audit
npm audit fix- PCI DSS Level 1 certified
- SOC 2 Type II certified
- ISO 27001 certified
- Encryption at rest
- Encryption in transit
- Access controls
- Row-level security
- SSL/TLS encryption
- Role-based access control
Thank you for helping keep HumanAPI secure! 🛡️