Last updated: July 2, 2026
Security Policy
We take security seriously, even for a client-side portfolio and open-source registry. Here is an overview of our security posture, API protections, and reporting procedures.
Supported Versions
| Version | Status | Notes |
|---|---|---|
| Latest (main branch) | ✅ Supported | Active development and security updates |
| Older commits / releases | ❌ Not Supported | Please upgrade to the latest commit on main |
API & Application Security
Zenith is a static web application augmented with a server-side AI chat endpoint powered by the Groq API. To prevent abuse and protect user sessions, we implement several server-side safeguards:
- ✓Rate Limiting: Enforced at 20 requests per minute per IP address on the `/api/ai/chat` route to prevent Denial of Service (DoS) and API quota exhaustion.
- ✓Input Validation & Sanitization: All incoming messages are rigorously validated. Individual messages are capped at 2,000 characters, and conversation depth is restricted to 20 messages to prevent token-flooding.
- ✓Request Timeouts: All server-to-server outbound calls to the AI provider include an explicit 10-second AbortController timeout to prevent hung sockets.
- ✓Memory Leak Prevention: In-memory rate limiting structures automatically evict expired timestamp entries to ensure stable performance on serverless edge runtimes.
HTTP Security Headers
Every HTTP response served by Zenith includes strict security headers configured via Next.js proxy middleware:
Restricts script, style, image, and connect sources to prevent XSS.
HSTS enforced with 2-year max-age to guarantee HTTPS.
Prevents MIME-type sniffing attacks.
Prevents clickjacking and embedding in unauthorized frames.
Protects sensitive URL paths when navigating across origins.
Explicitly disables camera, microphone, geolocation, and payment APIs.
Reporting a Vulnerability
If you discover a security vulnerability within any of the Zenith Open Source repositories or this website, please report it responsibly:
- Email the maintainer directly at zenithprojects@icloud.com.
- Include a clear description of the vulnerability and potential impact.
- Provide step-by-step reproduction instructions or proof-of-concept code.
Response Time: We aim to acknowledge receipt of vulnerability reports within 48 hours and release a remediation patch within 7 business days for critical issues.
Responsible Disclosure & Recognition
We deeply value the work of security researchers and developers who help keep open-source software safe. Anyone who responsibly discloses a valid security vulnerability will be explicitly credited in our repository changelogs and release notes (unless anonymity is preferred).
For direct security inquiries or PGP key requests, reach out to zenithprojects@icloud.com.