KAIRON

Security

Transparency is core to Kairon. Security measures, audit findings, and the roadmap are all published here.

SECURITY MEASURES

Authentication

Supabase Auth magic-link (passwordless). Session JWTs stored as HttpOnly cookies — not accessible to JavaScript.

Row-Level Security

Every Supabase table has RLS policies. Users can only read/write their own data. Service key never sent to client.

Secret Management

All API keys stored as environment variables. Never committed to git. Never included in client bundles.

Payment Security

Card data processed exclusively by Stripe (PCI-DSS Level 1). Kairon never sees or stores card numbers.

TLS Encryption

All traffic encrypted with TLS 1.3. HSTS enforced via Vercel. No unencrypted connections permitted.

No Ad Trackers

No advertising trackers or third-party analytics beyond those listed in the Privacy Policy.

Input Validation

All database queries use Supabase parameterized query builder — no string concatenation SQL. JSX auto-escapes user input.

API Rate Limiting

AI prediction and community endpoints validated server-side. Token-based usage limits prevent abuse. (Full rate limiting: roadmap)

2FA — Current Status

Kairon uses magic-link email authentication via Supabase. Each login requires access to your email inbox, which provides a form of implicit email-based verification. Full TOTP two-factor authentication (authenticator app) is on the roadmap and will be offered as an opt-in security upgrade.

SECURITY ROADMAP

High

API rate limiting via Upstash Redis

Prevent brute force & scraping on all routes

High

Content Security Policy headers

Mitigate XSS attack surface in next.config.ts

Medium

TOTP 2FA option for accounts

Reduce risk of email account compromise

Medium

Alert users of unrecognised sign-ins

Low

Security audit log table

Record admin actions for incident review

BUG BOUNTY PROGRAM

Responsible disclosure earns cash rewards

CRITICAL

$200 – $500

RCE, auth bypass, data leak

HIGH

$50 – $200

XSS, SQLi, privilege escalation

MEDIUM

$10 – $50

CSRF, info disclosure, logic flaws

Rules• No automated scanning or DoS attacks against production
• Do not access or modify other users' data
• Disclose privately first — allow 90 days for remediation
• First reporter of a unique vulnerability receives the reward

Submit reports to:

security@kairon.trade

PGP key available
on request

RESPONSIBLE DISCLOSURE POLICY

We commit to acknowledging your report within 48 hours, providing a remediation timeline within 7 days, and crediting reporters in our changelog once fixes are deployed.

security@kairon.trade

AUDIT REPORTS

SEC-2026-003HIGHRESOLVED2026-05-16

AdminPanel Defense-in-Depth Hardening

Sweep of every /api/admin/* route surfaced four endpoints with NO authentication: notifications (GET/POST/DELETE/PATCH), posts (DELETE/PATCH), auto-tag (GET/POST), kaironos (GET/POST). All four could have been called anonymously to read or mutate site-wide state. Patched in commit cab96bf along with a triple-layer admin gate.

requireAdmin() added to notifications / posts / auto-tag / kaironos routes

New app/admin/layout.tsx server-redirects non-admins before any client AdminPanel code is shipped

Triple-layer admin gate now enforced: edge proxy admin_role check → server layout getAdminCaller → per-route requireAdmin

app/robots.ts explicit Disallow on /admin, /api/, /approve, /account/ — admin paths never indexed

Rate-limiter extended: /api/admin 120/min, /api/auth 30/min, /api/checkout 20/min, /api/waitlist 10/min

Header dropdown verified — Admin link only renders when admin_role is admin or moderator

plan-override route standardised on requireAdmin (previously used a custom email-only verifier)

SEC-2026-002INFORESOLVED2026-05-10

Session Authentication Improvement

Server-side Pro/Admin detection used to rely on a legacy kairon_email cookie. Migrated entirely to Supabase sb-* cookies + getServerAuth() across every page, API route, and middleware. No custom identity cookies.

All Pro/Admin reads use getServerAuth() + resolveIsPro() / resolveAdminRole() — single source of truth

Supabase chunked sb-* cookies handled by the official client; JWT expiry validated automatically

Legacy kairon_email cookie no longer set anywhere; defensively expired on sign-out

Continue auditing for any reintroduction of identity cookies — CLAUDE.md banned-pattern list now blocks them at review time

SEC-2026-001INFORESOLVED2026-04-25

Initial Security Audit

Comprehensive review of authentication flows, RLS policies, and API endpoints. All critical paths verified secure.

Row-Level Security enabled on all user tables

Service key never exposed to client

All API routes validate user permissions server-side

Stripe webhook signature verification implemented

Admin routes protected by email allowlist via env variable

KAIRON

Security

Transparency is core to Kairon. Security measures, audit findings, and the roadmap are all published here.

SECURITY MEASURES

Authentication

Supabase Auth magic-link (passwordless). Session JWTs stored as HttpOnly cookies — not accessible to JavaScript.

Row-Level Security

Every Supabase table has RLS policies. Users can only read/write their own data. Service key never sent to client.

Secret Management

All API keys stored as environment variables. Never committed to git. Never included in client bundles.

Payment Security

Card data processed exclusively by Stripe (PCI-DSS Level 1). Kairon never sees or stores card numbers.

TLS Encryption

All traffic encrypted with TLS 1.3. HSTS enforced via Vercel. No unencrypted connections permitted.

No Ad Trackers

No advertising trackers or third-party analytics beyond those listed in the Privacy Policy.

Input Validation

All database queries use Supabase parameterized query builder — no string concatenation SQL. JSX auto-escapes user input.

API Rate Limiting

AI prediction and community endpoints validated server-side. Token-based usage limits prevent abuse. (Full rate limiting: roadmap)

2FA — Current Status

SECURITY ROADMAP

High

API rate limiting via Upstash Redis

Prevent brute force & scraping on all routes

High

Content Security Policy headers

Mitigate XSS attack surface in next.config.ts

Medium

TOTP 2FA option for accounts

Reduce risk of email account compromise

Medium

Alert users of unrecognised sign-ins

Low

Security audit log table

Record admin actions for incident review

BUG BOUNTY PROGRAM

Responsible disclosure earns cash rewards

CRITICAL

$200 – $500

RCE, auth bypass, data leak

HIGH

$50 – $200

XSS, SQLi, privilege escalation

MEDIUM

$10 – $50

CSRF, info disclosure, logic flaws

Submit reports to:

security@kairon.trade

PGP key available
on request

RESPONSIBLE DISCLOSURE POLICY

We commit to acknowledging your report within 48 hours, providing a remediation timeline within 7 days, and crediting reporters in our changelog once fixes are deployed.

security@kairon.trade

AUDIT REPORTS

SEC-2026-003HIGHRESOLVED2026-05-16

AdminPanel Defense-in-Depth Hardening

requireAdmin() added to notifications / posts / auto-tag / kaironos routes

New app/admin/layout.tsx server-redirects non-admins before any client AdminPanel code is shipped

Triple-layer admin gate now enforced: edge proxy admin_role check → server layout getAdminCaller → per-route requireAdmin

app/robots.ts explicit Disallow on /admin, /api/, /approve, /account/ — admin paths never indexed

Rate-limiter extended: /api/admin 120/min, /api/auth 30/min, /api/checkout 20/min, /api/waitlist 10/min

Header dropdown verified — Admin link only renders when admin_role is admin or moderator

plan-override route standardised on requireAdmin (previously used a custom email-only verifier)

SEC-2026-002INFORESOLVED2026-05-10

Session Authentication Improvement

All Pro/Admin reads use getServerAuth() + resolveIsPro() / resolveAdminRole() — single source of truth

Supabase chunked sb-* cookies handled by the official client; JWT expiry validated automatically

Legacy kairon_email cookie no longer set anywhere; defensively expired on sign-out

Continue auditing for any reintroduction of identity cookies — CLAUDE.md banned-pattern list now blocks them at review time

SEC-2026-001INFORESOLVED2026-04-25

Initial Security Audit

Comprehensive review of authentication flows, RLS policies, and API endpoints. All critical paths verified secure.

Row-Level Security enabled on all user tables

Service key never exposed to client

All API routes validate user permissions server-side

Stripe webhook signature verification implemented

Admin routes protected by email allowlist via env variable