If you discover a security issue in this repository, please report it privately to security@fastpix.com rather than filing a public GitHub issue.

We will acknowledge receipt within 5 business days and work with you on coordinated disclosure.

This project is a reference implementation. Issues that exist only because a user has changed our defaults (disabled auth, removed input validation, deployed to a misconfigured environment, etc.) are out of scope.

In-scope concerns include:

• Auth bypass in the default NextAuth configuration
• Cross-tenant data exposure (one owner reading another's courses/students/heartbeats)
• SQL injection or NoSQL injection in any API route or server action
• Rate-limit bypass that could enable resource exhaustion
• XSS in any user-supplied field (course title/description, student name, video title)

This repo is published "as is" under Apache 2.0. If you deploy it, you are responsible for:

• Setting NEXTAUTH_SECRET to a strong, unique value
• Protecting FASTPIX_SECRET_KEY (server-only, never expose to the browser)
• Configuring TLS / HTTPS at your hosting layer
• Hardening the default rate limiter (swap for Redis-backed in multi-instance deployments)
• Adding logging / monitoring appropriate to your environment