Security Policy

Last updated: May 8, 2026

Cyber Command Center is a portfolio and training workflow project. It is not a certified enterprise platform, managed SOC service, or place to store sensitive client data, lab credentials, payment details, or production incident evidence.

Security Model

The app has two operating modes:

Guest mode - progress, notes, and study sessions stay in browser local storage and are not synced by the app.
Signed-in mode - Supabase Auth handles login, OAuth, and password reset. Supabase Row Level Security scopes profile, progress, notes, and session rows to the signed-in user.

The browser app should only use the public Supabase anon key. Service-role keys and other server-side secrets must never be committed or shipped to the client.

Current Controls

Optional guest mode for no-account use.
Supabase Auth for email/password, password reset, and Google OAuth.
Row Level Security on profile, progress, note, and study-session tables.
Notes render through React text and textarea paths, not raw HTML injection paths.
External links use safe new-tab attributes.
Netlify security headers block framing, MIME sniffing, camera, microphone, and geolocation permissions.
The local .env file is ignored by Git.

Data Lifecycle

Guest mode

Guest progress, notes, and sessions stay in browser local storage until you clear site data for this domain.

Signed-in mode

Account identity, progress, notes, and study sessions are stored in Supabase until deletion is requested or the project owner removes the account. Deleted records may remain in provider-managed backups for the provider's normal backup retention window.

Data minimization

Do not store passwords, API keys, client data, payment details, private lab credentials, or live incident evidence in notes.

Known Gaps

No formal compliance certification, uptime SLA, DPA, SSO/SAML, audit-log export, or enterprise admin console.
No self-service account export or deletion yet.
No Content Security Policy yet. A tested CSP should be added before collecting more sensitive data.
Incident response is manual and best effort.

Incident Reporting

Email meidie@mdpstudio.com.au with the subject Security report: Cyber Command Center.

Include the affected URL or file path, reproduction steps, expected and actual result, browser/device details if relevant, and screenshots or logs with secrets removed.

Do not include passwords, API keys, private account data, payment details, client data, or third-party platform secrets. Do not publicly disclose an unfixed issue until it has been triaged.