Security First

Security at Synkora

We take security seriously. Learn about our security practices, how to report vulnerabilities, and our commitment to protecting your data.

Report a Security Vulnerability

If you've discovered a security vulnerability in Synkora, please report it responsibly. Do NOT create a public GitHub issue.

security@synkora.ai

We acknowledge reports within 48 hours and provide regular updates on progress.

Security Features

Encryption at Rest

All sensitive data including API keys, OAuth tokens, and secrets are encrypted using Fernet symmetric encryption.

JWT Authentication

Secure token-based authentication with token blacklisting, version tracking, and automatic refresh.

CSRF Protection

Server-side CSRF token validation with Redis session binding and fail-closed design.

Input Sanitization

Comprehensive XSS protection with 60+ pattern detection covering modern HTML5 attack vectors.

Rate Limiting

Redis-backed distributed rate limiting with per-endpoint configuration and trusted proxy support.

Security Headers

Content Security Policy with nonces, HSTS with preload, X-Frame-Options DENY, and Permissions-Policy.

Security Best Practices

When Using Synkora

  • Keep dependencies updated to the latest secure versions
  • Use environment variables for all secrets and API keys
  • Enable authentication for all production deployments
  • Use HTTPS in production environments
  • Regularly review access logs and audit trails
  • Follow the principle of least privilege for team members
  • Configure rate limiting appropriate to your use case
  • Use secure session management with sessionStorage
  • Enable multi-factor authentication when available
  • Regularly rotate API keys and access tokens

When Reporting a Vulnerability

Please Include

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Affected versions (if known)
  • Suggested fix (if any)

What to Expect

  • Acknowledgment within 48 hours
  • Regular updates on progress
  • Credit in release notes (if desired)
  • Coordinated disclosure timeline
  • No legal action for good-faith research

Supported Versions

VersionStatus
Latest ReleaseSupported
Previous ReleasesNot Supported

We recommend always using the latest version for the best security and features.