The security of 100 Days 100 Web Projects and our contributors is important to us. While this is primarily an educational repository containing frontend web projects, we take security seriously to ensure a safe learning environment for all developers.

We actively maintain and provide security updates for the following:

If you discover a security vulnerability, please help us maintain a secure environment by reporting it responsibly.

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Email us directly by creating a private issue or discussion
3. Use GitHub Security Advisory (preferred method)

Please provide the following information:

• Project/Component affected: Which project or part of the repository
• Vulnerability type: XSS, CSRF, injection, etc.
• Impact assessment: How the vulnerability could be exploited
• Steps to reproduce: Detailed steps to reproduce the issue
• Suggested fix: If you have recommendations
• Your contact information: For follow-up questions

• Initial Response: Within 48 hours
• Investigation: 1-7 days depending on complexity
• Fix Development: 1-14 days depending on severity
• Public Disclosure: After fix is deployed (if applicable)

• Input Validation: Always validate and sanitize user inputs
• XSS Prevention: Use proper escaping for dynamic content
• HTTPS: Use HTTPS for any external API calls
• Dependencies: Keep dependencies updated and secure
• Secrets: Never commit API keys, passwords, or sensitive data

• No hardcoded credentials or API keys
• Proper input validation and sanitization
• No eval() or innerHTML with user input
• External links open in new tabs with rel="noopener"
• Form submissions are validated
• No sensitive data in localStorage without encryption

// ❌ Dangerous
element.innerHTML = userInput;

// ✅ Safe
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);

<!-- ❌ Dangerous -->
<a href="https://external-site.com" target="_blank">Link</a>

<!-- ✅ Safe -->
<a href="https://external-site.com" target="_blank" rel="noopener noreferrer">Link</a>

// ❌ Never do this
const API_KEY = "your-secret-api-key";

// ✅ Use environment variables
const API_KEY = process.env.API_KEY;

• Content Security Policy: Implemented via meta tags
• HTTPS Enforcement: All external resources use HTTPS
• Safe External Links: All external links use rel="noopener noreferrer"
• Input Sanitization: All user inputs are properly validated

• Isolated Projects: Each project runs in its own directory
• No Server-Side Code: Most projects are client-side only
• Safe Dependencies: Dependencies are regularly audited
• Clean Git History: No sensitive data in commit history

• OWASP Top 10 - Common web vulnerabilities
• MDN Web Security - Web security basics
• Google Web Fundamentals Security - Security best practices
• OWASP Cheat Sheets - Security implementation guides

• Snyk - Dependency vulnerability scanning
• ESLint Security Plugin - JavaScript security linting
• Observatory - Website security assessment
• Lighthouse - Security auditing

• Review code for security issues before submitting PRs
• Report suspicious activity or potential vulnerabilities
• Follow secure coding practices in all contributions
• Keep personal information private in commits and issues

• Be cautious when running projects locally
• Don't enter sensitive information in demo projects
• Report any suspicious behavior or security concerns
• Keep browsers updated when testing projects

We follow responsible disclosure practices:

1. Private Reporting: Report vulnerabilities privately first
2. Investigation: We investigate and develop fixes
3. Coordination: We coordinate with reporters on disclosure timing
4. Public Disclosure: Details shared after fixes are implemented
5. Recognition: Security researchers are credited (with permission)

We maintain a security researchers hall of fame for those who help improve our security:

• Your name could be here!

For security-related inquiries:

• Security Issues: Use GitHub Security Advisory
• General Questions: Create a GitHub Discussion
• Urgent Matters: Create a private issue

We provide safe harbor for security researchers who:

• Report vulnerabilities through proper channels
• Give reasonable time for fixes before disclosure
• Don't access or modify user data
• Don't perform destructive testing

This security policy covers:

• ✅ All projects in this repository
• ✅ The main showcase website
• ✅ Deployment infrastructure
• ❌ Third-party services and dependencies (report to their maintainers)
• ❌ Issues requiring physical access