If you discover a security vulnerability in this repository, please do not open a public GitHub issue. Instead, report it privately by emailing info@civicdatalab.in with the subject line [SECURITY] IDS-DRR-Frontend.
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (if available)
- Any suggested fix or mitigation
We will acknowledge your report within 5 business days and aim to resolve confirmed vulnerabilities within 30 days. We will credit reporters in the release notes unless you request otherwise.
This repository contains:
- A Next.js application that renders analytics maps, dashboards, and report views
- TypeScript and React components, styled with Tailwind and design tokens
- A GraphQL client that consumes the IDS-DRR Data Management API and (optionally) a DataSpace Backend instance
Security concerns relevant to this scope include: dependency vulnerabilities, cross-site scripting via untrusted content rendered in the UI, and unintended exposure of analytics tokens or other configuration via the bundle.
Deployments are responsible for securing their own hosting infrastructure, TLS termination, and any analytics, error-reporting, or CDN services they integrate.
The frontend does not collect or store personally identifiable information (PII). Optional integrations exist with Google Analytics, Hotjar, and Sentry; these are off by default and each requires an explicit environment-variable opt-in per deployment. Deployments using these integrations are responsible for disclosing them in their own privacy policy.
Frontend dependencies are declared in package.json. We recommend periodic audits using npm audit:
npm auditFor security or privacy concerns, contact CivicDataLab at info@civicdatalab.in.