At Joor, we prioritize security across all stages of the development and deployment of our open-source backend framework. This document serves as a comprehensive guide to understanding the security features of Joor, best practices for securely using and contributing to Joor, and how to report any security vulnerabilities. Our goal is to ensure that your Joor-based applications are secure by default and adhere to the latest security standards.

Security is a shared responsibility. If you discover any vulnerabilities, we ask that you report them privately to ensure the issue is addressed before it is publicly disclosed. This helps us maintain the integrity of the framework and protect users and contributors.

• Security Contact Email: joor@socioy.com
• What to Include in Your Report:
  • A detailed description of the issue.
  • Steps to reproduce the issue, including the environment and setup.
  • Any patches or potential fixes, if available.
  • Information about your testing environment, such as software versions and configurations.
• Our Commitment:
  • Acknowledge receipt of your report within 48 hours.
  • Work with you to validate and patch the vulnerability as soon as possible.
  • Coordinate a public disclosure once the issue has been resolved, along with an update on security improvements.

For bugs and non-critical security vulnerabilities, create an issue at GitHub Issues. While creating an issue, follow the styles mentioned in STYLEGUIDE.md.

While Joor provides robust security features, the onus of securing your application lies with you, the user. Below are key best practices to help safeguard your application and data.

Security patches are frequently released to address vulnerabilities, so keeping Joor and its dependencies up-to-date is critical. Ensure you are using the latest stable version of Joor and all associated libraries to minimize exposure to known vulnerabilities.

• Stay Informed: Subscribe to Joor’s GitHub repository to receive notifications about updates and security patches.
• For the latest updates and patches, visit Joor Updates or join the discussion on Discord.

Always use HTTPS (SSL/TLS) to encrypt communication between your clients and the Joor server. This helps prevent man-in-the-middle (MITM) attacks and ensures that sensitive data such as authentication tokens, passwords, and API keys are securely transmitted.

• TLS Best Practices:
  • Use strong cipher suites (e.g., TLS 1.2 or TLS 1.3).
  • Ensure proper certificate management (e.g., using Let’s Encrypt for free, automated SSL certificates).
  • Enable HTTP Strict Transport Security (HSTS) to enforce HTTPS usage.

Joor supports token-based authentication methods such as OAuth and JWT (JSON Web Tokens). Proper authentication and access control are essential for protecting user data and preventing unauthorized access.

• Use OAuth/JWT: Implement OAuth 2.0 for robust, stateless user authentication, and use JWT tokens for securing API endpoints.
• Multi-Factor Authentication (MFA): Encourage or require multi-factor authentication (MFA) for sensitive operations or privileged users.
• Least Privilege Access: Use fine-grained access control (RBAC) to limit users' access based on their roles. Restrict permissions to the minimum necessary for the user to perform their tasks.

Sensitive data should always be encrypted both at rest and in transit. Joor supports encrypted storage for sensitive information, such as passwords and personal data.

• Data in Transit: Use SSL/TLS to encrypt data transmitted between the client and server.
• Data at Rest: Store sensitive data, such as user credentials or API keys, using strong encryption algorithms (e.g., AES-256).
• Encryption Best Practices:
  • Use salted hashes for storing passwords (bcrypt, PBKDF2, or Argon2).
  • Avoid storing unencrypted sensitive data in logs or databases.
  • Securely manage and rotate cryptographic keys.

Since Joor currently does not have an ORM, developers have the option to either handle input validation and sanitization manually or integrate an ORM that offers better security features.

• Validate All Inputs: Validate all incoming data, especially user inputs, to ensure they conform to expected types, formats, and lengths.
• Sanitize Outputs: For any data rendered to a web page or API response, sanitize output to prevent XSS attacks.
• Use Parameterized Queries: When directly interacting with databases, always use parameterized queries or prepared statements to prevent SQL injection attacks.
• Consider Using an ORM: To simplify and enhance security, consider using an ORM (e.g., Sequelize, TypeORM) with Joor. ORMs often include built-in protections against SQL injection and other vulnerabilities.

Database security is a critical part of application security. Use the following strategies to secure your Joor database.

• Principle of Least Privilege: Ensure that the database user has the minimum permissions necessary to perform the required tasks.
• Database Encryption: Encrypt sensitive columns in your database using column-level encryption for particularly sensitive data.
• SQL Injection Protection: Always use prepared statements and parameterized queries to prevent SQL injection attacks.

Security logging and real-time monitoring are essential for detecting malicious activity and responding to incidents.

• Log Sensitive Events: Log authentication failures, authorization attempts, and changes to sensitive data.
• Centralized Logging: Use centralized logging systems (e.g., ELK stack, Splunk) to monitor logs for suspicious activity.
• Alerting: Set up automated alerts for critical security events, such as brute-force login attempts, privilege escalation, or data exfiltration.

Many applications rely on APIs for communication. Ensure your API endpoints are secure by following these guidelines:

• Use Rate Limiting: Prevent denial-of-service (DoS) attacks by implementing rate limiting on API requests.
• Enable CORS: Ensure that Cross-Origin Resource Sharing (CORS) is configured securely to prevent unauthorized access from other domains.
• Secure API Keys: Keep API keys secret and rotate them regularly. Use environment variables to store keys securely.

• Input Validation & Sanitization: Developers are responsible for validating and sanitizing inputs to prevent common injection attacks.
• Authentication: Built-in support for token-based authentication, including OAuth 2.0 and JWT.
• Encryption: Built-in encryption support for both data in transit (SSL/TLS) and at rest (AES-256).
• Secure API Framework: Joor is designed to help developers secure their APIs with minimal effort, using best practices like rate limiting, authentication, and secure communication.

Security is a fundamental aspect of building reliable and scalable applications. By following the best practices outlined in this document and using the security features provided by Joor, you can ensure your application remains secure. If you have any questions or concerns regarding security, feel free to contact us at joor@socioy.com.

We are committed to continuous improvement in security and appreciate your contributions to making Joor a secure framework for everyone.