We actively support the following versions of AxioDB with security updates. Please ensure you are using a supported version to receive critical security patches and updates.
| Version | Supported |
|---|---|
| 3.x.x | ✅ Yes |
| 2.x.x | |
| < 2.0 | ❌ No |
Recommendation: Always use the latest version of AxioDB for the best security, performance, and features.
npm install axiodb@latestAxioDB includes several security features to protect your data:
- AES-256 Encryption: Optional encryption for sensitive collections
- Schema Validation: Prevent injection of malicious data structures
- File Isolation: Each document stored in separate files with proper permissions
- Secure Defaults: Security-first configuration out of the box
- No External Dependencies: Reduces attack surface (pure JavaScript)
We take security seriously and appreciate the security community's efforts to responsibly disclose vulnerabilities. If you discover a security issue in AxioDB, please report it through one of the following channels:
- Navigate to the AxioDB GitHub repository
- Go to the "Security" tab
- Click "Report a vulnerability"
- Fill out the form with details
Send an email to ankansahaofficial@gmail.com with:
- Subject:
[SECURITY] AxioDB Vulnerability Report - Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential security impact and affected versions
- Suggested Fix: (Optional) Your suggestions for fixing the issue
Please include the following information in your report:
- Type of vulnerability (e.g., XSS, CSRF, SQL Injection equivalent, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours of receiving your report
- Status Update: Within 7 days with assessment and planned fix timeline
- Fix Development: Depending on severity and complexity
- Disclosure: Coordinated disclosure after fix is released
- Triage: We assess the severity and impact of the reported vulnerability
- Fix Development: We develop and test a fix in a private repository
- Release: Security fixes are released as patch versions (e.g., 3.31.105)
- Disclosure: After release, we publish a security advisory with details
- Credit: We credit researchers who responsibly disclose vulnerabilities (unless they prefer to remain anonymous)
We use the following severity levels for security issues:
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, data loss | < 24 hours |
| High | Privilege escalation, data breach | < 72 hours |
| Medium | Information disclosure, DoS | < 7 days |
| Low | Minor information leak, edge cases | < 14 days |
When using AxioDB in production:
const sensitiveCollection = await db.createCollection(
'users',
true,
schema,
true, // Enable encryption
process.env.ENCRYPTION_KEY // Use environment variable
);❌ Bad:
const collection = await db.createCollection('data', true, schema, true, 'myKey123');✅ Good:
const collection = await db.createCollection(
'data',
true,
schema,
true,
process.env.AXIODB_ENCRYPTION_KEY
);Always use schema validation to prevent malicious data:
const schema = {
email: SchemaTypes.string().required().email(),
age: SchemaTypes.number().min(0).max(150),
name: SchemaTypes.string().required().max(100),
};Restrict file system access to the AxioDB data directory:
# Linux/macOS
chmod 700 ./AxioDBRegularly update to the latest version:
npm update axiodb- Watch the GitHub repository
- Subscribe to npm security advisories
- Check the SECURITY.md file regularly
AxioDB is designed for embedded, single-instance use cases:
- ✅ Desktop applications (Electron, Tauri)
- ✅ CLI tools
- ✅ Local-first applications
⚠️ Not recommended for public-facing web servers without additional security layers⚠️ Not designed for multi-tenant cloud deployments
AxioDB stores data in the file system:
- Ensure proper file permissions on the data directory
- Do not expose the data directory via web servers
- Use encryption for sensitive data
- Implement regular backups
The built-in GUI is intended for development and local use only:
⚠️ Do not expose to public networks⚠️ No authentication by default- ✅ Binds to localhost only
- ✅ Safe for Electron apps (local environment)
- We follow coordinated disclosure principles
- Security fixes are released before public disclosure
- We provide credit to researchers who report vulnerabilities responsibly
- Public disclosure is made after fixes are available and users have time to update
For security-related questions or concerns:
- Email: ankansahaofficial@gmail.com
- GitHub: Report a vulnerability
We recognize and thank the following security researchers who have helped improve AxioDB's security:
No vulnerabilities reported yet.
Thank you for helping keep AxioDB and its users safe! 🛡️