Security Reference
Security invariants
- JWT auth for protected routes.
- RBAC with strict role checks.
- Ownership checks on user-scoped resources.
- Zod validation on body/query/params.
- Upload MIME and size restrictions.
- Rate limiting for OTP and write-heavy actions.
Upload baseline
Accepted MIME types include:
- images (
png,jpeg,webp) application/pdftext/plainapplication/json- zip files
Limits:
- max 10 files per upload request
- max 20MB per file
- ticket attachment aggregate limit on create/update flows
Vulnerability reporting
Use coordinated disclosure:
- GitHub Security Advisories (preferred)
hello@openarca.com