Skip to content

Security: Praashh/Helix

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Helix, please report it responsibly.

Do not open a public issue. Instead, please email the maintainers directly with:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.

Security Considerations

Helix handles the following sensitive data:

  • Authentication: Managed by Clerk. User sessions and credentials are never stored directly.
  • API Keys: Google AI API keys and other secrets are stored as environment variables, never committed to the repository.
  • Database: PostgreSQL via Prisma. All API routes authenticate requests through Clerk before accessing data.
  • Webhooks: Clerk webhooks are verified using Svix signatures.

Best Practices for Contributors

  • Never commit .env files, API keys, or credentials
  • Use parameterized queries (Prisma handles this by default)
  • Validate and sanitize all user input at API boundaries
  • Keep dependencies up to date

There aren't any published security advisories