This document outlines the security practices, policies, and guidelines for ensuring the safety of data and users within the College ERP – Integrated Student Management System.
The system handles sensitive student, academic, and financial information, so maintaining strict security standards is essential.
Only the latest main branch and the most recent released build are actively supported for security updates.
| Version | Supported |
|---|---|
| Latest release | ✅ Yes |
| Development branch | |
| Older versions | ❌ No |
- All users authenticate through Supabase Auth.
- Sessions are secured using JWT tokens.
- Tokens must never be stored in plain localStorage without expiration logic.
The ERP includes multiple roles:
- Student
- Clerk
- Faculty
- Hostel Officer
- Admin
Each role only has access to modules relevant to its responsibilities.
Supabase RLS ensures:
- Users only access data that belongs to their role and permissions.
- Students cannot see other students' data.
- Clerks cannot modify admin-only data.
- Faculty can only upload marks for assigned exams.
All tables have strict RLS policies in place.
- All sensitive data (student personal details, transactions) stays in the encrypted Postgres database.
- RLS prevents unauthorized access.
- Token-based security ensures only authenticated users can query.
- No sensitive data (Aadhaar, marks, receipts) is stored in browser localStorage.
- Only minimal items like theme settings or UI preferences may be stored.
Even though the project uses demo integration:
- API keys must remain in
.envfiles. - Keys must never be committed to GitHub.
- Payment response data is validated before updating records in Supabase.
Never log payment responses in production mode.
- Environment variables must be stored only in
.env(client + server). - Never commit Supabase keys, B2 bucket keys, or Razorpay keys.
- All form inputs must be validated in React + TypeScript.
- Prevent invalid or malicious user input from reaching Supabase.
Supabase prevents SQL injection, but:
- Always use Supabase client libraries.
- Never use raw SQL strings with user input.
- Use React’s default escaping of HTML.
- Do not insert raw HTML via
dangerouslySetInnerHTML.
- Only allow PDF/JPG/PNG file types.
- Enforce file size limits.
- Validate MIME type before upload.
If you discover a security issue, please report it responsibly.
- Critical vulnerabilities: 24–48 hours
- High severity: 3–5 days
- Medium/Low: 1–2 weeks
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
Contributors must never:
- Commit
.envfiles or secrets - Disable Supabase RLS
- Create public Backblaze B2 buckets
- Log sensitive personal or financial data
- Store Aadhaar numbers unmasked
- Expose API keys in frontend code
- Modify authorization rules without review
Any PR violating these rules will be rejected.
In case of a security breach:
- Immediately revoke exposed Supabase, B2, or Razorpay keys
- Disable affected modules temporarily
- Investigate database and auth logs
- Notify stakeholders and admins
- Patch and deploy a fix
- Document the incident for future prevention
- Test changes under limited permissions to avoid bypassing RLS
- Keep dependencies updated
- Avoid unnecessary third-party libraries
- Follow commit message guidelines
- Review PRs carefully for hidden security issues
Security is a shared responsibility.
Your diligence helps protect sensitive educational and financial data in this ERP system.
Thank you for contributing securely to College ERP ❤️