We provide security updates for the latest version of API Docs Starter.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0.0 | ❌ |
If you discover a security vulnerability within API Docs Starter, please send an email to Rafael Teixeira at rafactx@icloud.com. All security vulnerabilities will be promptly addressed.
Please include the following information in your report:
- A clear description of the vulnerability
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Any suggested mitigation or fix
We will acknowledge receipt of your vulnerability report within 48 hours and provide an estimated timeline for addressing the issue.
When using this template for your API documentation:
-
Environment Variables
- Never commit sensitive information to version control
- Use environment variables for API keys and credentials
- Include
.env.examplewith placeholder values
-
Authentication Examples
- The template uses placeholder authentication examples
- Replace with your actual authentication mechanism
- Follow security best practices for your specific auth method
-
Content Security Policy
- Implement appropriate CSP headers for your deployment
- Consider the security requirements of your specific API
- Regularly review and update security configurations
-
Dependencies
- Regularly update dependencies to get security patches
- Use
npm auditorpnpm auditto check for vulnerabilities - Monitor security advisories for used packages
When contributing to this template:
-
No Secrets in Code
- Never commit API keys, passwords, or other secrets
- Use placeholder values in examples and documentation
- Ensure all secrets are properly documented as placeholders
-
Dependency Security
- Check security implications of new dependencies
- Prefer well-maintained packages with good security track records
- Update dependencies regularly
-
Input Validation
- Validate all user inputs in components
- Sanitize user-generated content
- Prevent XSS vulnerabilities
-
Secure Communication
- Use HTTPS for all external resources
- Implement proper CORS policies
- Validate external API responses
The template includes generic OpenAPI specifications. When customizing:
-
Remove Sensitive Information
- Don't include real API keys or endpoints in public repos
- Use placeholder domains and credentials
- Remove any internal server information
-
Authentication Documentation
- Document your actual authentication method
- Include security considerations specific to your API
- Provide examples of secure implementation
This template generates static HTML files. Consider:
-
Deployment Security
- Use secure hosting providers
- Implement proper access controls
- Enable HTTPS and security headers
-
Content Security
- Implement appropriate CSP headers
- Use Subresource Integrity (SRI) for external scripts
- Regularly audit included third-party resources
-
Analytics and Tracking
- The template includes Vercel analytics (optional)
- Consider privacy implications of tracking
- Provide opt-out options where required
- Report Received: Vulnerability report is received and acknowledged
- Assessment: Vulnerability is validated and impact assessed (1-3 business days)
- Fix Development: Patch is developed and tested (3-10 business days)
- Release: Security patch is released (timeline depends on severity)
- Public Disclosure: Public disclosure coordinated with reporter
- Critical: Exploitable vulnerabilities with high impact (24-48 hour response)
- High: Vulnerabilities that could compromise user data (3-5 day response)
- Medium: Vulnerabilities with limited impact (7-14 day response)
- Low: Minor security issues (30 day response)
Security researchers who responsibly disclose vulnerabilities will be credited in the security advisory and changelog, unless they prefer to remain anonymous.
For security-related inquiries:
- Email: rafactx@icloud.com
- GitHub Issues: Report a security issue
Please do not report security vulnerabilities through public GitHub issues.