Security

Secure by design

Every layer of the API was built with security as a priority. Check the full audit below.

Security

Secure by design

Every layer of the API was built with security in mind. All checks passed successfully.

10/10

Security Score

Input Validation

Username validated with strict regex. Only characters allowed by GitHub (letters, numbers, hyphens). Maximum 39 characters.

Pass

URL Encoding

encodeURIComponent applied to all parameters sent to the GitHub API, preventing URL injection.

Pass

Validated Parameters

Sort and order values validated against allowed value lists. Invalid values return error 400.

Pass

Search Limit

Search field limited to 100 characters to prevent abuse. Pagination limited to 100 items per page.

Pass

Rate Limit Handling

GitHub 403 responses are intercepted and returned as 429 with a clear message to the consumer.

Pass

Anti-Loop

Internal fetch limited to 10 pages (1,000 repos max), preventing infinite loops in GitHub API communication.

Pass

Secure CORS

CORS headers configured to allow access from any domain via GET. OPTIONS method implemented for preflight.

Pass

Protected Token

GITHUB_TOKEN stored exclusively in environment variables. Never exposed in code or API responses.

Pass

Response Validation

Verifies that the GitHub response is a valid array before processing, preventing errors with unexpected data.

Pass

No Sensitive Data

The API returns only public data. No private information, tokens or credentials are exposed in responses.

Pass

Audit details

Input Validation

The user parameter is validated against a regular expression that ensures the correct format of GitHub usernames:

// Validation regex
/^[a-zA-Z0-9]([a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$/

// Accepts: "torvalds", "dev-erickydias", "user123"
// Rejects: "-invalid", "user@name", "a".repeat(40)
// Rejects: "../etc/passwd", "<script>", SQL injection

Parameter Validation

The sort and order parameters are validated against allowed value lists. Any value outside the list returns error 400:

// Accepted values for sort:
["updated", "created", "pushed", "name", "stars", "forks", "size"]

// Accepted values for order:
["asc", "desc"]

// Any other value → 400 Bad Request

Rate Limit Protection

The API monitors GitHub responses. When the rate limit is reached (status 403), the API returns a clear error with status 429:

// Response when rate limit is reached:
{
  "error": "GitHub API rate limit exceeded. Try again later."
}
// Status: 429 Too Many Requests

CORS and Token Protection

CORS is configured for public use, but in a controlled manner:

// CORS headers applied to ALL responses
{
  "Access-Control-Allow-Origin": "*",
  "Access-Control-Allow-Methods": "GET, OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type"
}

// Only GET and OPTIONS are allowed
// POST, PUT, DELETE → not accepted

Found a security issue?

If you found a vulnerability, please report it responsibly.

Report via LinkedIn