We provide security updates for the following versions of HyperZ:
| Version | Supported |
|---|---|
| 2.x | ✅ |
| < 2.0 | ❌ |
If you discover a security vulnerability within HyperZ, please send an e-mail to security@hyperz.dev. All security vulnerabilities will be promptly addressed.
Please include the following in your report:
- A description of the vulnerability.
- Steps to reproduce the issue.
- Potential impact.
Do not open a public issue for security vulnerabilities.
HyperZ implements comprehensive default security measures:
- JWT Authentication: Secure, stateless session management with
AuthManager - Token Blacklisting: Revoke JWTs before expiry via
TokenBlacklist(pluggable store) - API Key Auth: SHA-256 hashed API key authentication with scope-based access via
ApiKeyMiddleware - RBAC: Role-based access control with Gates, Policies, and middleware
- Bcrypt Hashing: Industry-standard password hashing via
HashService(configurable cost factor) - AES-256-GCM Encryption: Authenticated encryption via
EncrypterusingAPP_KEY - HMAC-SHA256 Signed URLs: Tamper-proof URL generation via
SignedUrlwith expiration support
- CSRF Protection: Double-submit cookie pattern with timing-safe comparison
- Request Sanitization: Auto-strips XSS payloads and blocks prototype pollution on body/query/params
- HTTPS Enforcement: Automatic HTTP→HTTPS redirect in production (respects
X-Forwarded-Proto) - Helmet: Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Rate Limiting: Per-user/per-key/per-IP tiered rate limiting
- SQL Injection Protection: Prepared statements via TypeORM
- Input Validation: Zod schema validation middleware
- Audit Logging: Automatic logging of all state-changing requests
- HMAC-SHA256 Signing: All outbound webhooks are cryptographically signed
- Signature Verification:
WebhookManager.verifySignature()for inbound webhook validation