Security: raoankitdev/properties.ai
Security
Security Review — MVP V4 (18.01.2026)
Backend hardened: CORS via env in prod; dev default API key blocked.
Rate limiting active with per‑client RPM and request IDs.
No secrets in frontend bundle; NEXT_PUBLIC_API_KEY marked dev‑only.
Low: Frontend npm audit reports transitive issues (jest/ts-node/diff). Impact: dev‑only, low severity.
Low: Streamlit V3 helpers still contain legacy patterns; isolated from V4 API.
Added ENVIRONMENT and CORS_ALLOW_ORIGINS handling in settings.py.
Enforced dev key block in prod in api/auth.py.
Updated frontend docs to prohibit client secrets in production in frontend/README.md.
Fixed lint issues (unused import, bare except, print) in common/cfg.py and utils.py.
Frontend: add overrides to enforce diff >= 8.0.3 if compatible; monitor jest chain.
Backend: CI includes pip-audit job; pin critical dependencies; enable Trivy/Docker Scout for images.
Logging: keep redaction policy; avoid sensitive payloads in logs.
Input validation: continue using Pydantic; sanitize free‑text if used for search.
Secrets: use platform secrets; never commit .env; rotate keys quarterly.
Add CI jobs: ruff, mypy, pytest, npm lint/test, bandit (static analysis), pip-audit.
Evaluate move to pgvector on Neon/Supabase for managed persistence.
There aren’t any published security advisories
You can’t perform that action at this time.