CryptoBlocks is a coding platform for kids. Security isn't optional — it's foundational. We run automated and manual security audits on every release.
/ 01 Audit overview
| Audit | Scope | Date | Status |
|---|---|---|---|
| Black Team (Offensive) | Full-stack penetration testing | April 2026 | Complete |
| Red Team (Remediation) | Fix all Black Team findings | April 2026 | Complete |
| Purple Team (Architecture) | Threat modeling, defense-in-depth | April 2026 | Complete |
| DRY / Code Quality | Duplication, abstraction, drift risk | April 2026 | Complete |
/ 02 Black Team findings
tl;dr
12 findings. 4 fixed immediately, 4 accepted by design, 4 tracked for future hardening.
| ID | Severity | Finding | Status |
|---|---|---|---|
| CRIT-001 | Critical | Client-controlled achievement unlocks | Accepted |
| HIGH-001 | High | Sprite likes had no per-user dedup | Fixed |
| HIGH-002 | High | Project like client sent no auth header | Tracked |
| HIGH-003 | High | Download count endpoint — no auth, no rate limit | Accepted |
| HIGH-004 | High | Leaderboard exposed raw Clerk user IDs | Fixed |
| HIGH-005 | High | PostMessage wildcard origin in sandbox | Accepted |
| MED-001 | Medium | Admin emails exposed via VITE_ prefix | Tracked |
| MED-002 | Medium | Content moderation bypass via leet-speak | Tracked |
| MED-003 | Medium | Leaderboard loaded all rows into memory | Fixed |
| MED-004 | Medium | LIKE wildcards not escaped in search | Tracked |
| MED-005 | Medium | Workspace JSON no size validation at write | Tracked |
| MED-006 | Medium | Sandbox CSP allows external CDN sources | Accepted |
/ 03 Red Team remediations
| Severity | Finding | Fix applied |
|---|---|---|
| High | Sprite likes — unlimited inflation | Added sprite_likes junction table with (sprite_id, user_id) PK |
| High | Cross-classroom IDOR on discussion replies | Validated discussion belongs to claimed classroom before insert/read |
| Medium | Share Link hardcoded 'Anonymous' author | Passes actual Clerk user name via prop chain |
| Medium | Seed SQL used string interpolation | Refactored to parameterized queries |
| Medium | Missing security headers | Added X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
| Medium | Leaderboard unbounded GROUP BY | Added LIMIT 100 |
| Medium | Classroom export missing CORS headers | Applied corsHeaders() to raw Response endpoints |
/ 04 Security architecture
Sandbox isolation
- No
allow-same-origin— execution iframe cannot access parent DOM, cookies, or localStorage - Blob URL sandbox with
allow-scripts+allow-modalsonly - CSP enforced —
connect-src 'none'blocks all outbound network from user code - Capability bridge — hardware accessed via parent postMessage, not iframe APIs
Authentication
- Clerk JWT verification via JWKS with kid matching, expiration, and issuer binding
- Server-side auth guards on all mutating endpoints
- Owner checks on update/delete operations (TOCTOU-safe with scoped UPDATEs)
Data protection
- Turso (libSQL) — SQLite on the edge, encrypted at rest
- Zod schema validation on all API inputs with bounded primitives
- Content moderation — banned word scan + URL blocking on uploads
- Report system — users can flag projects for review
Headers & transport
X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-origin- HTTPS enforced via Netlify (HSTS)
/ 05 Responsible disclosure
tl;dr
Found a bug? Email security@getcryptoblocks.com. We respond in 48 hours. We fix critical issues in 7 days.
If you discover a security vulnerability in CryptoBlocks, please report it responsibly. Email security@getcryptoblocks.com with:
- Description of the vulnerability
- Steps to reproduce
- Affected endpoint or component
- Your assessment of impact
We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.