Security Guidelines
Running a public community platform means you will inevitably face spam bots, malicious actors, and abuse attempts. AnswerFlow is built with security as a first-class citizen to protect your infrastructure and your users.
1. Environment Variables & Secrets
Never expose administrative tokens or connection strings to the client environment.
In Next.js, any environment variable prefixed with NEXT_PUBLIC_ is bundled into the frontend JavaScript and can be viewed by anyone inspecting the browser.
# 🔴 STRICTLY PRIVATE (DO NOT EXPOSE TO CLIENT)
AUTH_SECRET="your-super-secret-key-here"
DATABASE_URL="postgresql://..."
REDIS_URL="redis://..."
# 🟢 SAFE TO EXPOSE TO CLIENT
NEXT_PUBLIC_APP_URL="https://community.yourdomain.com"The AUTH_SECRET Requirement
Your AUTH_SECRET is the master key for hashing sessions via Better-Auth. It must be at least 32 characters long with high entropy. If this key is compromised or exposed, all active user sessions are compromised.
2. User Data Protection
We employ modern cryptographic standards out of the box via our Better-Auth integration.
- No Plaintext Passwords: Passwords are automatically hashed and salted.
- Secure Sessions: Authentication is handled via secure, HttpOnly, SameSite=Lax cookies. This makes it impossible for malicious JavaScript to steal session tokens, effectively negating standard XSS session-hijacking vectors.
- PII Scrubbing: Our database queries deliberately omit sensitive user payloads (like emails or password hashes) when resolving public author objects for questions and answers.
3. Rate Limiting (Redis)
All server actions and endpoints that permit high-cost database writes are rate-limited. We use your connected Redis instance to track requests and prevent DDoS and bot spam manipulation.
The thresholds and specific limits are maintained centrally via the @answerflow/rate-limit package:
| API Action | Limit (per minute) |
|---|---|
| globalApi | 60 |
| createQuestion | 10 |
| createAnswer | 10 |
| createComment | 15 |
| editContent | 15 |
| deleteContent | 10 |
| vote | 30 |
| bookmark | 30 |
| acceptAnswer | 15 |
| imageUpload | 5 |
| search | 20 |
| syncPushToken | 5 |
| unsyncPushToken | 5 |
4. Markdown Sanitization (XSS Defense)
Because AnswerFlow is a developer-focused Q&A platform, users frequently post highly customized markdown. This is the primary target for Cross-Site Scripting (XSS) attacks.
Rather than destructively mutating data on the server, AnswerFlow safely stores the raw Markdown exactly as the user typed it.
- Sanitization on Render: When rendering posts, our dedicated
@codearcade/markdownpackage parses the Markdown into an Abstract Syntax Tree (AST) and usesrehype-sanitizeto strip out arbitrary<script>tags, malicioushrefattributes, andonloadhandlers before it ever hits the DOM.
Do not disable the sanitization pipeline.
Bypassing the sanitize configuration inside the markdown component will immediately expose your users to malicious JavaScript injection.
5. File Uploads & S3 Security
When users upload avatars or post images, AnswerFlow uses Pre-signed URLs.
The Next.js server securely generates a temporary, cryptographically signed URL and sends it to the client. The client then uploads the image directly to your S3/MinIO bucket. This architecture ensures:
- Your server is never bottlenecked by routing heavy image payloads.
- Malicious users cannot upload files to arbitrary or restricted bucket paths.
- Your S3 secret keys never leave the backend environment.