Skip to content

Security: SrishtiSonam/CureShieldSynapse

Security

SECURITY.md

πŸ” Security Documentation

βœ… Fixed Security Issues

1. Hardcoded Credentials (CRITICAL - FIXED)

  • Issue: Django SECRET_KEY and database credentials were hardcoded in settings.py
  • Fix: Moved all sensitive data to environment variables
  • Files Modified:
    • Backend/backend/settings.py
    • Backend/env.example
    • FL Model/flask/app.py

2. CORS Configuration (FIXED)

  • Issue: CORS_ALLOW_ALL_ORIGINS = True allowed any domain to make requests
  • Fix: Made CORS configurable via environment variables with secure defaults

3. Debug Mode (FIXED)

  • Issue: DEBUG = True in production settings
  • Fix: Made debug mode configurable via environment variables

πŸ”§ Environment Variables Setup

Required Environment Variables

# Django Settings
DJANGO_SECRET_KEY=your-secure-secret-key
DEBUG=False
ALLOWED_HOSTS=your-domain.com,www.your-domain.com

# Database Settings
DB_NAME=DiseasePrediction
DB_USER=postgres
DB_PASSWORD=your-secure-password
DB_HOST=localhost
DB_PORT=5432

# CORS Settings
CORS_ALLOW_ALL_ORIGINS=False
CORS_ALLOWED_ORIGINS=http://localhost:3000,https://your-domain.com

# Email Settings
EMAIL_USER=your-email@gmail.com
EMAIL_PASS=your-app-password

# API Keys
GEMINI_API_KEY=your-gemini-api-key

# Flask App (FL Model)
FLASK_DEBUG=False

🚨 Security Best Practices

1. Environment Variables

  • βœ… Never commit .env files to version control
  • βœ… Use strong, unique passwords for each environment
  • βœ… Rotate secrets regularly

2. Database Security

  • βœ… Use strong database passwords
  • βœ… Limit database user permissions
  • βœ… Enable SSL connections in production
  • βœ… Regular database backups

3. CORS Configuration

  • βœ… Only allow necessary origins
  • βœ… Use HTTPS in production
  • βœ… Avoid CORS_ALLOW_ALL_ORIGINS=True in production

4. Django Security

  • βœ… Set DEBUG=False in production
  • βœ… Configure ALLOWED_HOSTS properly
  • βœ… Use HTTPS and secure cookies
  • βœ… Enable CSRF protection

5. API Security

  • βœ… Use JWT tokens with appropriate expiration
  • βœ… Implement rate limiting
  • βœ… Validate all input data
  • βœ… Use HTTPS for all API calls

πŸ” Security Checklist

Before deploying to production:

  • Generate new Django SECRET_KEY
  • Set DEBUG=False
  • Configure ALLOWED_HOSTS
  • Set secure database credentials
  • Configure CORS properly
  • Enable HTTPS
  • Set up proper logging
  • Configure backup strategy
  • Set up monitoring and alerting
  • Review and update dependencies

πŸ›‘οΈ Additional Security Recommendations

  1. Input Validation: Implement comprehensive input validation
  2. Rate Limiting: Add rate limiting to prevent abuse
  3. Logging: Implement security event logging
  4. Monitoring: Set up intrusion detection
  5. Backup: Regular automated backups
  6. Updates: Keep all dependencies updated
  7. SSL/TLS: Use HTTPS everywhere
  8. Headers: Configure security headers (HSTS, CSP, etc.)

πŸ“ž Security Contact

For security issues, please contact the development team immediately.

There aren’t any published security advisories